Tool Release/Version Update

Issue 96 Edition 2026-04-06 3 min read

Not accepted General

Sources: 1 • Confidence: Medium • Updated: 2026-04-12 10:01

Key takeaways

scan-for-secrets version 0.3 has been released.
scan-for-secrets 0.3 adds a -r/--redact option that lists secret matches, asks for confirmation, and then replaces each match with the string "REDACTED" while respecting escaping rules.
scan-for-secrets 0.3 adds a Python function redact_file(file_path: str | Path, secrets: list[str], replacement: str = "REDACTED") that returns an int.

scan-for-secrets 0.3 adds a -r/--redact option that lists secret matches, asks for confirmation, and then replaces each match with the string "REDACTED" while respecting escaping rules.

scan-for-secrets 0.3 adds a Python function redact_file(file_path: str | Path, secrets: list[str], replacement: str = "REDACTED") that returns an int.

What other changes (besides redaction) are included in scan-for-secrets 0.3?
What exactly does the -r/--redact option’s "respecting escaping rules" guarantee, and for which input formats/encodings?
What does redact_file return (e.g., number of replacements, success/error code), and how are errors reported?
Does redaction operate in-place on files, and what safeguards exist to prevent irreversible loss of original data (e.g., backups, dry-run modes)?
What secret match types/pattern sources are supported by the redaction flow, and how does it handle overlapping/duplicate matches?

Feature shift from detection to remediation could increase adoption in security workflows where fixing issues is required, not just finding them
Interactive redaction and a Python API may broaden integration into CI and developer tooling, potentially increasing usage in automation contexts

Release notes or changelog detail added beyond redaction, including bug fixes, performance, and compatibility changes
Documentation clarifies how escaping-aware redaction works and which file formats and encodings are supported
API docs specify redact_file return semantics, error reporting, and whether edits are in-place plus safeguards like backups or dry-run

Redaction is limited to narrow formats or encodings, or escaping behavior is unreliable, reducing practical usability
redact_file provides weak error signaling or unclear return values, making integration brittle for automation
No safeguards for irreversible changes and no non-interactive or dry-run mode, limiting use in CI or regulated environments