Spectral scans anything that looks like a file. And anything that can look like a file.

  • Git repos -- Spectral understands Git semantics and is especially useful to scan source code
  • Software libraries -- such as Node.js npm packages, Java Jars and more
  • Software deliverables -- such as Android apps pulled from Google Play
  • Production artifacts -- such logs and storage
  • Containers -- such as Docker containers locally built or pulled from Docker Hub

🦸‍♀️ Text. Not programming languages. Focusing on text, unlocks the ability to transcend over programming languages, be independent of those, and scan everything!

It's a tool. But also: a platform 🤯.

We keep all workflows as first-class command line driven. That's how we like to work. In addition, Spectral can be used in many different other scenarios, for example:

  • Add spectral to CI as a build step
  • Spectral scans your codebase using an ever growing array of detectors
  • If matches are translated to findings (sensitive data, credentials or other risks), Spectral can fail the build (or not), and pinpoints the problem
  • Provide a full report for tracing the finding to the source file and position for easy risk assessment and mitigation

As a bonus, and from iteration to iteration, using SPEQL (our own mini detector query language) your development team and/or DevSecOps team can augment Spectral's built in detectors with their own security policies by authoring new detectors and checking these in to the code repository (see more in detectors).


Spectral is built to last

Our own detector query language -- SPEQL was built from the start, not as an afterthought, because we knew we wanted to create a tool that would grow with you. If you can think of a policy -- code it.

Secure by design

Here's a secret. Security tools can have security vulnerabilities in them, or they can put your company at risk because they happen to communicate with the world and possibly open a door for your data.

It's like finding out how sausages are made for the first time (for those of you who didn't know about how sausages are made -- sorry about that!).

What a paradox it is, adopting a security tool that draws a larger target on the back of your organization and makes the surface of attack bigger rather than smaller?

We've used a ton of security tools like these. But then we've had it. We built Spectral.

Spectral minimizes the surface area of attack by:

  • Doing the right thing by default and having security by-design. For example Spectral never shows you secrets it found, it will just lead you there
  • Spectral never communicates your private data with the outside world, ever
  • Spectral never stores, indexes, or offloads sensitive file contents to another place -- in or out of your data centers (not even temporary files) -- it does all the scanning in real time in-memory. This is why performance in Spectral is by design, to support security by design.
  • Spectral is built with a safe, compiled, borrow-checked, programming language that is proven itself to excel, and is widely adopted in the security domain: Rust. No scripting languages, no toy languages, no compromise.


Always be aware of who's messing with your data

Here's a tip. Go over your SaaS vendors, and ask them if they store your data in ther data centers. How are they processing it? how are they keeping it secure? what guarantees do they have? can they still give you value without grabbing your data?
We built all of our technology into our scanner, which means, we don't need a copy of your data to give you value. Makes life simple for us, and simple for you.


An input source is any folder that hosts files. with that in mind Spectral supports reading anything that sits on your filesystem, or that can be translated to files.

File systems:

  • Git repositories -- pre-commit or on CI
  • Home folders (~) -- protect entire desktops
  • Document folders -- scanning legal documents
  • Cloud storage folders -- scanning files stored on Dropbox, Google Drive and so on

And artifacts such as:

  • Container filesystems -- as a container security solution
  • Android apps -- as app static analysis engine
  • Websites -- as a remote scraping and monitoring security solution
  • Npm modules -- as a build / production verification layer after pushing a new module to production


A detector is a way to formulate a security best practice, detection of secrets, and a logical way to do security by design.

Spectral comes with a premium, high-grade array of detectors and it also allows and encourages you and your teams to add detectors to it.

By writing your own custom detectors we want to empower your team to build various policies such as:

  • Identify and sanitize private customer IDs and data
  • Special home-brew secrets for internal systems
  • Employ policies such as: a test-only credit card with a certain pattern should only exist in the /examples folder

And so on. See more about authoring detectors in detectors

Zero-config everything 🚀

There are already too many tools and too many dashboards in the world of the IT manager; and these require too many set up and maintenance ceremonies.

Spectral's mission is to integrate with your existing:

  • CI -- such as TravisCI, CircleCI and others
  • Logging provider -- such as Elastic
  • Alert provider -- such as Sentry and PagerDuty
  • Automation Infrastructure -- by providing a raw JSON stream of events

With zero configuration. Not only that, it will provide you full visibilty of your organization, without any set up from your side.

🦸‍♀️ Thinking hard replaces working hard! We built an inference engine that takes scans metadata, and infers team names and org structure and then builds everything you view. Just so you don't have to type this in.