Show HN: Layerleak – Like Trufflehog, but for Docker Hub

Summary

layerleak the Docker Hub Secret Scanner Check CONTRIBUTING.md for development and contribution guidelines. Docker Hub / OCI image secret scanner that analyzes image layers, config metadata, and image history, then stores deduplicated findings by manifest digest. Traditional secret scanners often treat a container image as a flat blob or depend on a local Docker daemon. This project is designed around OCI image internals Public Docker Hub images only Read-only scanning No secret verification No Docker daemon dependency required Manifest-aware and layer-aware scanning Scans final filesystem and deleted-layer artifacts Scans image config metadata, env vars, labels, and history Deduplicates findings by secret fingerprint and collapses repeated identical context snippets per manifest Prerequisites: Build from source: git clone https://github.com/brumbelow/layerleak.git cd layerleak go build -o layerleak . Optional environment configuration: Result and database configuration: export LAYERLEAK_FINDINGS_DIR=findings export LAYERLEAK_TAG_PAGE_SIZE=100 export LAYERLEAK_DATABASE_URL=postgres://postgres:postgres@localhost:5432/layerleak?sslmode=disable If LAYERLEAK_FINDINGS_DIR is not set, layerleak writes JSON findings files to findings/ under the repo root. Saved findings files contain only detections, including unredacted finding values and unredacted context snippets. LAYERLEAK_TAG_PAGE_SIZE controls Docker Hub tag-list pagination for repository-wide scans. If LAYERLEAK_DATABASE_URL is set, the scanner also writes the scan to Postgres and fails the command if Postgres is unavailable or the save does not succeed. Result behavior: Actionable findings remain in findings and drive the non-zero scan exit status. Likely test/example/demo placeholders are emitted separately as suppressed example findings and do not count toward total_findings. Finding records now include disposition, disposition_reason, and line_number to make triage and false-positive review easier. Layerleak shi...