Free CLI Tool for macOS

Scan before AI
reads your repo.

Scan your project before AI reads it. See what files, folders, and context may be exposed to AI tools. Generate AI ignore files and keep sensitive data out of AI context.

payments-api — zsh

Terminal demo: install the Offsend CLI with Homebrew, change into a project directory, and run “offsend show” to list the four environment files (.env.dev, .env.prod, .env.stage, .env.usa) that would be sent to AI tools.

Local-firstNo server-side scanningNo accountOpen source

What the CLI does

Four commands,
zero cloud.

The offsend command-line tool is free for local scans, git hooks, and CI. Everything below runs on your Mac and reads ignore rules and paths only — never uploads file contents.

offsend check --staged

Scan files, folders, or staged git changes for API keys, tokens, private keys, and similar secrets before they leave your Mac.

offsend show

List the sensitive files that would be sent to AI tools because no ignore rule covers them — grouped by data type, read-only.

offsend prepare

Create the AI ignore files a project is missing (.cursorignore, .claudeignore, .aiexclude, …) so AI tools respect your boundaries.

offsend hook install

Install a pre-commit hook that runs the same checks against staged changes and blocks commits containing sensitive data.

Configure & automate

One config.
Same checks in CI.

Commit a .offsend.yml to tune detectors, exclusions, and custom dictionaries — then run the same checks in your pipeline. CLI flags override config values when provided explicitly.

.offsend.yml
version: 1

check:
  fail_on: block
  exclude:
    - "*.lock"
    - "vendor/**"
  detectors:
    disable:
      - phone
  dictionaries:
    - kind: project
      value: "Project Apollo"
    - kind: regex
      value: "ACME-\\d{4,}"

hooks:
  type: pre-commit
  fail_on: block
.github/workflows/ci.yml
- name: Install Offsend CLI
  run: brew install --cask offsend/tap/offsend-cli

- name: Check staged changes for secrets
  run: offsend check --staged
FAQ

Answers
before you install.

Short, honest answers about the CLI. Missing something? Email us.

What is Offsend CLI?

Offsend CLI is a free, local-first macOS command-line tool that scans files, folders, and staged git changes for API keys, tokens, and private keys before AI coding tools like Cursor, Claude, or Copilot read them. Unlike cloud-based secret scanners, Offsend runs entirely on your Mac — it reads file paths and ignore rules only, never uploading file contents.

How do I use Offsend in CI or git hooks?

Install with Homebrew, commit a .offsend.yml to tune detectors and exclusions, then run offsend check --staged in GitHub Actions or install a pre-commit hook with offsend hook install. The same checks run locally and in CI; CLI flags override config values when provided explicitly.

Does the CLI upload file contents to Offsend servers?

No. The CLI reads paths and ignore rules only — never file bodies, clipboard content, or detected secret values. Everything runs on your Mac with no account required.

What's the difference between the CLI and the macOS app?

The CLI covers terminal workflows: scan staged changes, audit what AI tools would read, generate ignore files, and block risky commits from git hooks or CI. The macOS app adds Safe Paste, drag-and-drop file preparation, watched folders, and a hook-management UI — and bundles this CLI.

How do I install the Offsend CLI?

Run brew install --cask offsend/tap/offsend-cli on macOS 13 or later. The CLI is open source under Apache-2.0 and free for local scans, git hooks, and CI pipelines.

One brew install.
You’re covered.

Scan staged changes for secrets, see what AI tools would read, and block risky commits — from your terminal, git hooks, or CI.

macOS 13+ · Open source · Apache-2.0