Open-Source · Production-Ready · Zero Dependencies

Stop Leaking API Keys
to Cloud Log Aggregators.

Intercept, detect, and redact sensitive credentials in real-time within your infrastructure. A production-grade, zero-dependency sidecar engine clocking 30,000+ lines per second.

Get Started (1-Min Setup) View Source on GitHub

OpSecGuard — Live Scan

2026-05-28 14:22:01 INFO User admin logged in from 192.168.1.42

2026-05-28 14:22:03 ERROR OpenAI init failed with key [REDACTED_OPENAI_KEY]

2026-05-28 14:22:05 WARN DB connection: mongodb://admin:[REDACTED_PASSWORD]@db.prod.com:27017/app

2026-05-28 14:22:06 DEBUG Stripe payment: [REDACTED_STRIPE_LIVE_KEY]

2026-05-28 14:22:08 INFO GitHub sync with token [REDACTED_GITHUB_TOKEN]

✓ 4 secrets redacted · Scan time: 0.245ms · Zero leaks shipped

Performance

Live Stress-Test Benchmarks

Real-world execution results from a 50,000-line stress test with Shannon Entropy fully enabled. Not synthetic. Not theoretical. Measured on production-class hardware.

⚡

0 lines/sec

Throughput

With entropy scanning active

📊

0ms

P50 Latency

Median batch processing time

🔥

0ms

P99 Latency

Worst-case under max load

📦

0 lines

Stress-Test Volume

Processed in 1.65 seconds flat

Why Synchronous Process-Level Architecture Wins

Python's GIL makes threading counterproductive for CPU-bound regex work. Here's why OpSecGuard's architecture is fundamentally faster.

OpSecGuard ✅ Winner

Synchronous sequential loop — zero context-switch overhead
Process-level parallelism via Uvicorn workers
Each process owns its own GIL — true multi-core execution
Standard def endpoint keeps event loop free
Pre-compiled regex — zero per-request cost

Traditional Async/Threaded ❌ Slower

Thread pool + GIL contention = wasted CPU cycles
Context switching overhead degrades throughput
async def blocks the event loop on CPU work
Shared GIL means no true parallelism regardless
Re-compiled regex per request wastes cycles

Capabilities

Enterprise-Grade Security Primitives

Purpose-built for DevSecOps teams who can't afford credential leaks reaching Datadog, Splunk, or CloudWatch.

⚙️

Pre-compiled Regex Engine

Zero per-request compilation cost. All 10+ detector patterns are compiled at process startup and run native C-level loops via Python's re module. Bounded quantifiers prevent ReDoS attacks.

O(n) Matching ReDoS-Safe

🔒

Isolated Credential Redaction

Smart group-capture parsing that isolates only the password component in MongoDB and PostgreSQL URIs, while keeping host, port, and connection parameters visible for debugging.

Smart Parsing URI-Aware

🧮

Feature-Flagged Entropy

Optional Shannon Entropy scanning to catch non-deterministic randomized tokens and high-entropy secret strings that evade deterministic regex patterns. Gated by ENABLE_ENTROPY flag.

Shannon Entropy Configurable

🏗️

GIL Protection Architecture

Standard synchronous def endpoint handling designed to pass heavy CPU lifting smoothly into FastAPI's external thread pool, keeping the main event loop entirely free for concurrent connections.

Event-Loop Safe Multi-Worker

What It Catches

🔑 OpenAI Keys

☁️ AWS Access Keys

☁️ AWS Secret Keys

💳 Stripe Live Keys

💳 Stripe Test Keys

🐙 GitHub Tokens

🎫 Bearer Tokens

🍃 MongoDB URIs

🐘 PostgreSQL URIs

🔐 Private Keys

🎲 High-Entropy Strings

Quick Start

1-Line Docker Setup

From zero to scanning in under 60 seconds. No config files, no build steps, no dependencies.

                            
bash

                        docker run -d -p 8000:8000 -e ENABLE_ENTROPY=True csfasih/opsecguard-api

Pull & Run

Single Docker command pulls the image and starts the scanner on port 8000.

Point Your Logs

Route your application logs to POST /v1/scan/batch or connect via WebSocket at /v1/scan/stream.

Ship Clean Logs

Forward the sanitized output to Datadog, Splunk, or CloudWatch — zero secrets leaked.

Stop Leaking API Keys to Cloud Log Aggregators.