scan-for-secrets 0.3 ships a redaction workflow. The new -r/--redact flag scans a file, surfaces matches, asks for confirmation, then overwrites every hit with the string REDACTED, handling escape sequences correctly in the process.
The release also exposes a Python function directly: redact_file(file_path: str | Path, secrets: list[str], replacement: str = 'REDACTED') -> int. That integer return value and the typed signature tell you this is built to be composed into larger pipelines, not just run from a terminal.
The confirmation step before rewriting is the detail worth reading around. It decides what this tool is: not a silent scrubber, but an auditable one. That design choice has consequences for how you integrate it into CI or pre-commit hooks.
[READ ORIGINAL →]