API Reference
A complete, detailed reference of the apikeyscanner Python objects. When you run aks.scan(), it returns a ScanResult which contains a list of Finding objects.
The ScanResult Object
This is the main object returned by the scan. It holds all metadata about the scan execution, along with the actual secrets found.
| Property / Method | Type | Description |
|---|---|---|
| .findings | list[Finding] | The actual list of secrets found. Empty if the scan was clean. |
| .target | str | The original path string that was scanned. |
| .scan_mode | str | Returns "file", "directory", or "project" based on what was scanned. |
| .scanned_files / .skipped_files | int | Counts of how many files were successfully scanned vs skipped (e.g., binaries, ignored dirs). |
| .has_high_risk | bool | (Helper) True if any HIGH severity secrets were found. Perfect for CI/CD checks. |
| .has_findings / .is_clean | bool | (Helper) Easy booleans to check if the scan found anything at all. |
| .total_findings / .high_count / .medium_count | int | Numerical counts of the findings grouped by severity. |
| .to_dict() / .to_json() | dict / str | (Method) Serializes the entire result, including all findings, into a dictionary or JSON string. |
| .save_json(path) | None | (Method) Saves the JSON report to the given file path. Automatically creates parent directories if needed. |
| .filter_by_severity(list) | ScanResult | (Method) Returns a brand new ScanResult containing only the requested severities. |
The Finding Object
Every item inside result.findings is a Finding object. It contains the exact location and context of the leaked secret.
.severity (str)
The risk level: "HIGH", "MEDIUM", or "LOW".
.type (str)
The name of the detected pattern (e.g. "AWS Access Key" or "Generic Password").
.file (str)
The relative path to the file where the secret was found.
.line (int)
The exact 1-indexed line number in the file.
.match (str)
The matched string, automatically masked to prevent logging raw secrets. (e.g., AKIA****************).
Severity Levels Explained
HIGH Risk
Critical secrets like AWS Keys, Stripe Secrets, Database Passwords, or Private SSH Keys.Action: Rotate these immediately. Do not deploy.
MEDIUM Risk
Personal Access Tokens, Webhooks, or URLs with embedded basic auth.Action: Review these. They should be moved to Environment Variables.
LOW Risk
Generic endpoints, internal IP addresses, or potential configuration leaks.Action: Informational. Verify if they belong in source control.