A powerful command-line tool written in Go that automatically scans your shell history files for sensitive information and obfuscates it to keep your data safe.
Shell history files are incredibly useful for daily work, but they can inadvertently store sensitive information such as:
- API keys and tokens
- Passwords and secrets
- Database connection strings
- Private keys
- Credit card numbers
- Authentication headers
history-sanitizer helps you maintain the utility of your history while protecting sensitive data.
- π Smart Detection: Uses detection patterns from Gitleaks - industry-leading, community-maintained secret scanner (15k+ stars)
- π¨ Colored Output: Clear, colored terminal output for easy reading
- π Safe Obfuscation: Replaces sensitive data with redacted placeholders
- πΎ Non-Destructive: Creates a new sanitized file, preserving your original
- π Multi-Shell Support: Works with bash, zsh, fish, and other shell history formats
- π Fast & Efficient: Built with Go for speed and reliability
- π§ͺ Dry Run Mode: Preview changes before applying them
- π Auto-Updated Patterns: Leverages Gitleaks' actively maintained detection rules
The tool uses detection patterns sourced from Gitleaks - a well-maintained, community-driven project. We've extracted and implemented 36 high-value patterns covering:
Cloud Providers & Services:
- AWS (Access Keys, Secret Keys, Session Tokens)
- Google Cloud (API Keys)
- Stripe, Heroku, Square API keys
Version Control:
- GitHub (Personal Access Tokens, App Tokens, OAuth tokens, Fine-Grained PATs)
Credentials & Secrets:
- Private Keys (RSA, EC, DSA, PGP, SSH)
- JWT Tokens
- Database connection strings (MongoDB, MySQL, PostgreSQL)
- Generic passwords, API keys, and secrets
Communication & Monitoring:
- Slack (Bot/App/User/Webhook tokens)
- SendGrid, MailChimp, Twilio API keys
- Datadog, PagerDuty tokens
Other:
- 1Password service tokens
- Environment variables with secrets
- Proxy URLs with passwords
The full Gitleaks config (200+ rules) is embedded for reference at pkg/scanner/gitleaks.toml.
We extract and implement Gitleaks' regex patterns directly because:
- β Gitleaks patterns are open source and well-maintained by a large community
- β Gitleaks CLI is designed as a standalone tool, not a Go library
- β Direct pattern implementation is simpler and more maintainable
- β Avoids 50+ transitive dependencies from the full Gitleaks package
- β We get the same detection quality with full control over the implementation
Our implementation:
- Patterns defined in
pkg/scanner/patterns.toml(extracted from Gitleaks) - Full
gitleaks.toml(95KB, 200+ rules) embedded for reference - Easy to update by syncing with the official Gitleaks repository
brew tap arnac-io/tap
brew install history-sanitizergit clone https://github.com/arnac-io/history-sanitizer.git
cd history-sanitizer
go build -o history-sanitizergo install github.com/arnac-io/history-sanitizer@latestScan and sanitize your default shell history (zsh):
./history-sanitizer./history-sanitizer -f ~/.bash_historySee what would be changed without modifying any files:
./history-sanitizer --dry-runShow detailed information about each finding:
./history-sanitizer -vSee all detection rules provided by Gitleaks:
./history-sanitizer list-rules./history-sanitizer -f ~/.bash_history -o ~/safe_history.txt# Scan with dry run to see what will be found
./history-sanitizer -f ~/.zsh_history --dry-run -v
# If satisfied, run the actual sanitization
./history-sanitizer -f ~/.zsh_history -o ~/.zsh_history.clean
# Review the cleaned file
less ~/.zsh_history.clean
# Replace original (make sure to backup first!)
cp ~/.zsh_history ~/.zsh_history.backup
mv ~/.zsh_history.clean ~/.zsh_history| Flag | Short | Description | Default |
|---|---|---|---|
--file |
-f |
Path to history file | ~/.zsh_history |
--output |
-o |
Output file path | <input>.sanitized |
--dry-run |
-d |
Show changes without modifying files | false |
--verbose |
-v |
Show detailed information | false |
--in-place |
-i |
Replace original file (creates .backup) | false |
--help |
-h |
Show help message | - |
| Command | Description |
|---|---|
list-rules |
Display all available Gitleaks detection rules |
π Scanning history file: /Users/you/.zsh_history
β Found 3 sensitive pattern(s)
Finding #1:
Type: AWS Access Key
Line: 42
Finding #2:
Type: Generic Secret
Line: 108
Finding #3:
Type: GitHub Token
Line: 234
β Sanitized history saved to: /Users/you/.zsh_history.sanitized
Original file preserved at: /Users/you/.zsh_history
To replace your history file, run:
mv /Users/you/.zsh_history.sanitized /Users/you/.zsh_history
- Scan: Reads your shell history file and scans each line against known patterns
- Detect: Uses regular expressions to identify sensitive information
- Obfuscate: Replaces sensitive data with safe placeholders like
[REDACTED_KEY_a1b2c3d4] - Save: Writes the sanitized content to a new file
- β Original files are never modified automatically
- β Obfuscated values include a hash for consistency
- β Output files are created with restrictive permissions (0600)
- β All processing happens locally - no data is sent anywhere
history-sanitizer/
βββ main.go # Entry point
βββ cmd/
β βββ root.go # Main scan/sanitize command
β βββ list.go # List detection rules command
βββ pkg/
β βββ scanner/
β β βββ scanner.go # Pattern detection logic
β β βββ patterns.toml # Detection patterns (from Gitleaks)
β β βββ gitleaks.toml # Full Gitleaks config (reference)
β βββ sanitizer/
β βββ sanitizer.go # Obfuscation logic
βββ examples/
β βββ sample_history.txt # Sample file for testing
βββ go.mod # Go module definition
βββ README.md # This file
go test ./...go build -o history-sanitizer# Linux
GOOS=linux GOARCH=amd64 go build -o history-sanitizer-linux
# macOS
GOOS=darwin GOARCH=amd64 go build -o history-sanitizer-macos
# Windows
GOOS=windows GOARCH=amd64 go build -o history-sanitizer.exeContributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License.
- Powered by Gitleaks for secret detection - a well-maintained, industry-standard tool
- Built with Cobra for CLI framework
- Uses fatih/color for colored terminal output
- Add configuration file support for custom patterns
- Support for more shell history formats
- Integration with git hooks
- Cloud backup sanitization
- Machine learning-based detection
- π Quick Start Guide - Get started in 5 minutes
- π Project Summary - Project overview and architecture
- π Pattern Sources - How we use Gitleaks patterns
- π§ Gitleaks Integration - Technical integration details
- π Examples - Sample history files for testing
If you encounter any issues or have questions, please open an issue on GitHub.