Scan before AI
reads your repo.
Scan your project before AI reads it. See what files, folders, and context may be exposed to AI tools. Generate AI ignore files and keep sensitive data out of AI context.
Terminal demo: install the Offsend CLI with Homebrew, change into a project directory, and run “offsend show” to list the four environment files (.env.dev, .env.prod, .env.stage, .env.usa) that would be sent to AI tools.
Local-firstNo server-side scanningNo accountOpen source
Four commands,
zero cloud.
The offsend command-line tool is free for local scans, git hooks, and CI. Everything below runs on your Mac and reads ignore rules and paths only — never uploads file contents.
offsend check --stagedScan files, folders, or staged git changes for API keys, tokens, private keys, and similar secrets before they leave your Mac.
offsend showList the sensitive files that would be sent to AI tools because no ignore rule covers them — grouped by data type, read-only.
offsend prepareCreate the AI ignore files a project is missing (.cursorignore, .claudeignore, .aiexclude, …) so AI tools respect your boundaries.
offsend hook installInstall a pre-commit hook that runs the same checks against staged changes and blocks commits containing sensitive data.
One config.
Same checks in CI.
Commit a .offsend.yml to tune detectors, exclusions, and custom dictionaries — then run the same checks in your pipeline. CLI flags override config values when provided explicitly.
version: 1
check:
fail_on: block
exclude:
- "*.lock"
- "vendor/**"
detectors:
disable:
- phone
dictionaries:
- kind: project
value: "Project Apollo"
- kind: regex
value: "ACME-\\d{4,}"
hooks:
type: pre-commit
fail_on: block- name: Install Offsend CLI
run: brew install --cask offsend/tap/offsend-cli
- name: Check staged changes for secrets
run: offsend check --stagedAnswers
before you install.
Short, honest answers about the CLI. Missing something? Email us.
What is Offsend CLI?
Offsend CLI is a free, local-first macOS command-line tool that scans files, folders, and staged git changes for API keys, tokens, and private keys before AI coding tools like Cursor, Claude, or Copilot read them. Unlike cloud-based secret scanners, Offsend runs entirely on your Mac — it reads file paths and ignore rules only, never uploading file contents.
How do I use Offsend in CI or git hooks?
Install with Homebrew, commit a .offsend.yml to tune detectors and exclusions, then run offsend check --staged in GitHub Actions or install a pre-commit hook with offsend hook install. The same checks run locally and in CI; CLI flags override config values when provided explicitly.
Does the CLI upload file contents to Offsend servers?
No. The CLI reads paths and ignore rules only — never file bodies, clipboard content, or detected secret values. Everything runs on your Mac with no account required.
What's the difference between the CLI and the macOS app?
The CLI covers terminal workflows: scan staged changes, audit what AI tools would read, generate ignore files, and block risky commits from git hooks or CI. The macOS app adds Safe Paste, drag-and-drop file preparation, watched folders, and a hook-management UI — and bundles this CLI.
How do I install the Offsend CLI?
Run brew install --cask offsend/tap/offsend-cli on macOS 13 or later. The CLI is open source under Apache-2.0 and free for local scans, git hooks, and CI pipelines.
One brew install.
You’re covered.
Scan staged changes for secrets, see what AI tools would read, and block risky commits — from your terminal, git hooks, or CI.