keyhog v0.5.34.
Release notes for the v0.5.34 tag, cut 2026-05-27.
New to keyhog? Read keyhog. Our first production-ready tool. first.
Changes
- Class-separated exit codes.
EXIT_USER_ERROR(2) for bad input,EXIT_SYSTEM_ERROR(3) for IO / OS failures,EXIT_SCANNER_PANIC(11) as the panic subcode. CI gates can distinguish "your config is wrong" from "the runner's disk is full" without parsing stderr. - Backend env-override fix.
KEYHOG_BACKENDis now uncached at startup-read time so test harnesses that flip it between cases see fresh values instead of the first-observed value from process boot. - Allowlist root path heuristic. A pre-existing path that doesn't exist on disk no longer collapses
/tmp/projectto/tmp;file.rswith no parent now resolves to.instead of the empty string. - FILE_GATE_MATRIX.toml. 220 module rows, regenerated from
find crates -name '*.rs' -path '*/src/*'; deleting a module is now a build failure instead of a quiet code drop. - 891-detector banner sync. The README banner and the e2e gate constant now both say 1646 patterns, so the binary's
--detectors --jsonoutput and the README never disagree.
Use it
keyhog runs on Linux, macOS, and Windows. The Linux x86_64 binary is on GitHub Releases; the others build from
source. CI integration is one uses: santhsecurity/keyhog-action step (or one cargo install
--git for the vendored vyre-libs path until it lands on crates.io).
# Install (Linux x86_64)
curl -sSf https://raw.githubusercontent.com/santhsecurity/keyhog/main/install.sh | bash
# Scan a tree
keyhog scan .
# Scan with verification of live findings (exit 10 if any are live)
keyhog scan . --verify
# Audit the detector corpus itself (CI gate)
keyhog detectors --auditSource, contracts, the adversarial harness, and the v0.5.34 release notes: github.com/santhsecurity/keyhog.
Open issues we want help on
- The 232 wrapper regression. Fix lands in v0.5.35 - the pre-filter handoff change is small but it touches the hot path. Patches welcome.
- Contracts for the long tail. Every detector contract is one TOML file. If you maintain a service with API tokens that keyhog should detect (or should NOT false-positive on inside a real-world repo), open a PR with the fixture and the harness will keep us honest.
- Real-world FP/FN reports. If keyhog fires on something that isn't a secret, or misses something that is, we want the file. Open an issue with the input minimized to the smallest reproducing form, and we'll convert it into a contract case.