Deep Scanning
Redactyl’s deep scanning capabilities let you find secrets in build artifacts, not just source code.
Archive Scanning
Section titled “Archive Scanning”Scan zip, tar, and tgz files recursively:
redactyl scan --archivesRedactyl handles nested archives automatically. A secret in release.zip::bundle.tar.gz::config/keys.json will be found and reported with the full virtual path.
Supported Formats
Section titled “Supported Formats”.zip- ZIP archives.tar- Tar archives.tar.gz/.tgz- Gzipped tar archives.gz- Gzip compressed files
Container Scanning
Section titled “Container Scanning”Scan Docker images and OCI containers:
# Scan local Docker imagesredactyl scan --containers
# Scan a specific image tarballredactyl scan image.tar
# Scan exported Docker imagedocker save myapp:latest | redactyl scan --stdinWhat Gets Scanned
Section titled “What Gets Scanned”- All filesystem layers
- Environment variables in config
- Build arguments (if present in history)
- Entrypoint and CMD scripts
Virtual Paths
Section titled “Virtual Paths”Container findings show the layer and path:
image.tar::sha256:abc123/etc/app/.env:3Helm Chart Scanning
Section titled “Helm Chart Scanning”Scan Helm charts for secrets in values and templates:
# Scan all Helm charts in directoryredactyl scan --helm
# Scan specific chartredactyl scan ./charts/myapp
# Scan packaged chartredactyl scan myapp-1.0.0.tgzWhat Gets Scanned
Section titled “What Gets Scanned”values.yaml- Default valuesvalues-*.yaml- Environment overridestemplates/*.yaml- All templatesChart.yaml- Chart metadata
Kubernetes Manifest Scanning
Section titled “Kubernetes Manifest Scanning”Scan Kubernetes YAML files:
redactyl scan --k8sAuto-Detection
Section titled “Auto-Detection”Redactyl automatically detects Kubernetes resources:
- Secrets - Base64 decoded and scanned
- ConfigMaps - All data keys scanned
- Deployments/Pods - Environment variables scanned
- ServiceAccounts - Token references flagged
Example Findings
Section titled “Example Findings”# This will be detectedapiVersion: v1kind: Secretmetadata: name: api-credentialsdata: api-key: QVdTX0FDQ0VTU19LRVk9QUtJQUlPU0ZPRE5ON0VYQU1QTEU=Combined Scanning
Section titled “Combined Scanning”Scan everything at once:
redactyl scan --archives --containers --helm --k8sOr use the shorthand:
redactyl scan --deepPerformance
Section titled “Performance”Deep scanning is optimized for speed:
| Artifact Type | Typical Speed |
|---|---|
| Helm chart (50 templates) | 2-5ms |
| Container image (100MB) | 100-200ms |
| Archive throughput | 100-500 MB/s |
| YAML parsing | 8-10 MB/s |
Memory Usage
Section titled “Memory Usage”Redactyl streams content without extracting to disk:
- Archives are scanned in-memory
- Container layers are streamed
- No temp files created
Guardrails
Section titled “Guardrails”Deep scanning respects guardrails:
guardrails: # Maximum archive depth max_archive_depth: 5
# Maximum file size to scan max_file_size: 100MB
# Skip binary files skip_binary: trueOutput
Section titled “Output”Deep scan findings include full virtual paths:
{ "file": "myapp.tgz::templates/deployment.yaml", "line": 47, "detector": "aws-secret-key", "severity": "high"}This makes it easy to locate and fix secrets, even in deeply nested artifacts.