Our first production-ready tool.

It is a secret scanner. It reads files. It finds leaked credentials. It tells you where they are. It works on Linux, macOS, and Windows. It runs on the CPU. It runs on the GPU. It outputs JSON, SARIF, and a TUI that streams findings as they land.

We have been building Santh for two years. We have written compilers, GPU primitives, JIT engines, regex backends, sandboxes, and security analysis tools. Most of that work has lived inside the workshop. keyhog is the first piece that leaves it.

The first time Vyre runs in production.

Vyre is the GPU compute substrate Santh has been building. It compiles ordinary Rust code into shaders that run on NVIDIA, AMD, and Apple GPUs, bit-for-bit identical to a CPU reference. Most GPU stacks force you to write CUDA or WGSL by hand. Vyre lets you write a state machine.

keyhog runs its Aho-Corasick automaton on Vyre. That is the first time anyone outside our build system feels what Vyre does. A scan against a Linux kernel tree on a 5090 lands in seconds. The same scan on a laptop with no GPU lands in seconds too. The findings are the same. The conformance gate is what makes that promise hold.

The first of many.

keyhog is the first Santh tool to ship. It will not be the last. The next ones are not paper plans. Gossan finds attack surface. Wafrift tests WAF coverage. Envseal stores secrets behind a hardware-sealed vault. TrueStack fingerprints the technology a server actually runs, not what its version string claims.

Each one will use the same Vyre substrate keyhog already uses. Each one will ship the same way: a CLI you install, a library you import, and a contract per behaviour.

What keyhog does today.

• 891 service-specific detectors. Each is a regex, an entropy check, and a TOML contract the build refuses to ship without.
• Hyperscan SIMD on the CPU. Vyre Aho-Corasick on the GPU. The two paths produce the same findings, byte for byte.
• SARIF output, JSON output, human output, TUI. The SARIF path drops directly into GitHub Advanced Security.
• Class-separated exit codes. 2 for user error, 3 for system error, 10 for a live credential, 11 for a scanner panic. CI gates can tell a misconfigured run from a real leak.
• Cross-format adversarial harness. Every detector positive is wrapped in eight container formats (.env, JSON, YAML, Dockerfile, shell-export, INI, GitHub Actions, Kubernetes Secret) and the detector must still fire. 14,512 cases run on every build.

Use it.

# Linux and macOS
curl -fsSL https://raw.githubusercontent.com/santhsecurity/keyhog/main/install.sh | sh

# Scan a tree
keyhog scan .

# Verify any live credentials it finds
keyhog scan . --verify

# Watch it work
keyhog tui .

Source: github.com/santhsecurity/keyhog. Release notes for every version live at github.com/santhsecurity/keyhog/releases. Latest is v0.5.34.