BluBracket open-sources secret, PII, and non-inclusive language scanning tools for S3 objects, Confluence wiki pages, and more…

Enormous volumes of data from private repos, internal chats, private S3 buckets, databases, internal docs, and more have all been exposed recently. For us, the problem is clear: the only safe place to hide a secret is in an encrypted vault. 

Our core product is the market leader in securing internal code supply chains—including eliminating secrets, PII, and non-inclusive language—but we’ve also developed numerous solutions to identify and eliminate risks across the company in all the tools we use from our S3 storage to our Confluence wiki pages. Today we are open-sourcing these solutions in the hope that we can help improve security for all.

What are these solutions?

We’re calling them recipes because some assembly is required. They’re in public repos at, and the initial launch includes solutions to find secrets, PII, and non-inclusive language in:

  1. S3 buckets
  2. Logs
  3. Confluence wiki pages

These open-source recipes are not full products, but they do represent how we monitor these services and tools internally.

Who are they for?

The open-source recipes are intended for anybody who wants to secure the services they or their company uses from risks in the content, including secrets, PII, and non-inclusive language.

However, some assembly is required. Some experience with common developer tools and cloud operations is likely required to leverage them. But we’re also eager to hear any suggestions for how they can be improved or made easier to use. Please open issues on GitHub.

How do they work?

The recipes use our BluBracket CLI tool, a small component that does the secret, PII, and non-inclusive language scanning. The CLI tool itself is not open-source.

The open-source recipes extend the CLI tool with functionality and convenience specific to their purpose, whether it’s iterating through a few hundred terabytes of content in S3 or scanning every document in Confluence.

Each repo includes a readme and more specific detail about the installation and usage of the specific recipe.

Are they secure?

We’ve done everything we can to build these with security by default, but you’re in control of how and where they work. 

At the core of these solutions, the BluBracket CLI tool does all its processing locally—wherever you run it. That means it never sends any of your content to our servers, making it both faster and more secure than solutions that send your secrets to an API to be scanned.

Why is BluBracket open-sourcing these solutions?

We’re on a mission to improve security by eliminating secrets and other risks unprotected across most companies’ code, communications, and other tools. It’s not enough just to scan code when every company leaves footprints in so many places.

These are the solutions we use, and we hope you will find value in them too. Most importantly, we hope everybody can use them to eliminate secrets and PII in code as a risk vector that has been driving accelerated attacks.

What’s the catch?

These tools are offered for free and without any warranty. Please report any bugs using GitHub tickets, and review discussions there. We’ll be there, but there’s no SLA for support. We’re also eager to see your pull requests or hear your suggestions for new recipes (contact me on Twitter and I’d be happy to help!)

We welcome paid customers to reach out to the customer success team with any issues.

Where are these solutions?

We’re launching them on GitHub at We’re cleaning up and launching each recipe when it’s ready. The first few include:

What’s the difference compared to BluBracket’s SaaS offerings?

BluBracket’s SaaS tools are optimized around driving continuous improvements in code security throughout the development pipeline. In that context, detection is the easy part. Our full suite of tools identify risks in the code pipeline so that developers can eliminate them before they get into repos, and provide solutions to understand, prioritize, and close the loop on risks already in the codebase. The open source solutions introduced here solve problems that don’t fit into that workflow.

Additionally, the detection and processing done by our SaaS tools includes a number of features and capabilities not available in the standalone CLI tool:

  • Activeness detection of found secrets
  • Severity ranking
  • Improved false-positive rejection based on repo context
  • AI/ML-enhanced detection and ranking

Share this post!