Trestle
БесплатноНе проверенDetects leaked secrets (API keys, tokens, private keys) in source code.
Описание
Detects leaked secrets (API keys, tokens, private keys) in source code.
README
A local secret scanner for source code. Trestle finds API keys, access tokens, passwords, private keys, and certificates before commiting them by mistake, and keeps them from leaving your machine.
This is the Community edition. Open source under Apache-2.0, and a mirror of the version distributed at trestlescan.com.
What Trestle does
- Detection. Hundreds of credential patterns from real services (OpenAI, Anthropic, Stripe, AWS, GitHub, Google, Slack, Sentry, and more), plus unfamiliar keys spotted by entropy, variable names, and surrounding code.
- Code-aware. Trestle parses your files instead of running plain regular expressions, so it can tell an environment variable from a build argument, a header, a parameter, or a constant in source.
- Runs everywhere you work. Command line scanner, file watcher, pre-commit hook, language server for LSP-aware editors (Neovim, Helix, Zed, JetBrains), MCP server for AI assistants (Claude Code, Cursor, Copilot, Codex), and a native VS Code extension.
- Local only. Runs entirely on your machine. No network, no telemetry, no account, no signup.
- One static binary. No runtime to install, multi-threaded, and honors
.gitignoreand your own skip rules.
Building from source
A recent stable Rust toolchain is the only prerequisite.
cargo build --release
This builds two binaries: trestle, which does not make network requests, and
trestle-net, which can check whether found secrets are still live.
Quick start
In any project directory:
trestle install # adds a pre-commit hook and AI instructions
trestle scan # scans the current directory
Other commands:
trestle watchkeeps scanning as files change.trestle lspstarts the language server.trestle mcpstarts the MCP server.trestle uninstallremoves the integration from a project.
Checking whether a secret is live
The default trestle binary does not make network requests. The separate
trestle-net binary adds an optional check that contacts each detected
secret's provider to confirm whether the credential is still valid:
trestle-net scan --validate
Each finding is then labeled (active), (inactive), or (could not verify). This check runs only in trestle-net, so the trestle binary
remains fully offline.
The full documentation is available at trestlescan.com/documentation.
GitHub Action
Use the official GitHub Action to scan every push and pull request:
name: Secret scan
on:
push:
pull_request:
jobs:
trestle:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: toro-guapo/trestle-action@v1
See toro-guapo/trestle-action for inputs, outputs, SARIF upload to the GitHub Security tab, and supported runners.
Community and Pro
Trestle is open core.
- Community (this repository) handles detection. Every finding is reported with its location and the rule that flagged it. Apache-2.0 licensed.
- Pro adds remediation guidance: for each finding, the steps to remove the
secret from source, what to keep in your local
.env, and per-platform rotation guides for AWS, GitHub Actions, Vercel, Netlify, Kubernetes, Doppler, and other targets. Distributed under a commercial license.
Pro is available at trestlescan.com.
About this repository
This is a read-only mirror, refreshed on every Community release. Development happens in a private repository.
Issues and discussion are welcome on GitHub. Pull requests are not accepted through this mirror. If you have a fix or an idea, please open an issue.
License
Apache License 2.0. See LICENSE.
Установить Trestle в Claude Desktop, Claude Code, Cursor
unyly install trestleСтавит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.
Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh
Или настроить вручную
Выполни в терминале:
claude mcp add trestle -- npx -y @trestlescan/mcpFAQ
Trestle MCP бесплатный?
Да, Trestle MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Trestle?
Нет, Trestle работает без API-ключей и переменных окружения.
Trestle — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Trestle в Claude Desktop, Claude Code или Cursor?
Открой Trestle на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Trestle with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
