Engineering Release Notes

Eliminating credential leaks at the commit stage.

Statically compiled in Go with zero external runtime dependencies, Crenox runs validation scans in sub-20ms to secure staged files before they leave the developer workstation.

Published by Khaled Hani on July 3, 2026

01 / The Thesis

Why local validation is the final line of defense

In modern DevSecOps, secret scanning is often offloaded to continuous integration (CI) platforms or post-push webhooks. While valuable, these remote validations operate after the secret has already reached the remote hosting repository. Once a credential resides in the git database, it must be considered compromised—triggering costly key rotation, access log audits, and multi-team incident responses.

"Once a private credential escapes the local workstation, security changes from prevention to remediation."

Crenox blocks leaks at the edge. By installing as a native git pre-commit hook directly in your local environment, it evaluates staged deltas and aborts the commit if an active credential, private key, or password configuration is matched. Because it operates locally, it requires no internet connection and does not log data to external analytics collectors.

02 / Technical Architecture

Verifying credentials in under 20 milliseconds

Developer velocity is a major constraint for pre-commit verification. Hooks that introduce noticeable latency encourage developers to bypass the validation workflow entirely. To meet this constraint, Crenox implements a three-tier pipeline that processes staging areas in milliseconds while maintaining high recall accuracy.

Tier 1: Prefix Automaton

Every file is parsed through an O(N) Aho-Corasick multi-pattern search trie. Custom user signatures and known credential templates are compiled directly into the state machine, allowing the engine to discover candidates in a single linear character pass.

Tier 2: Shannon Entropy Filtering

Candidate tokens matched in the first pass are evaluated for character randomness. Crenox calculates the exact entropy of the string to differentiate actual randomized access tokens from standard code templates or placeholder variables.

Tier 3: Context Analysis

Finally, the parser audits surrounding lines, variable assignments, and comments. This layer suppresses findings located in test assertions, mock environments, or lines specifically appended with a // crenox:ignore directive.

Output Demonstration

When Crenox identifies a leak, it aborts the commit process and renders a detailed breakdown of the findings in the console:

03 / Performance

Crenox vs Gitleaks vs TruffleHog: Workstation Comparison

To evaluate Crenox's performance, we run comparative workstation scans against gitleaks and trufflehog. Measurements are collected locally on an octa-core ARM64 workstation, tracking total execution latency and peak resident set size (RSS).

Audited Metric Crenox (v2.0.7) Gitleaks (v8.30.1) TruffleHog (v3.95.7)
Execution Footprint (Binary) 11.6 MB 42.5 MB 185.0 MB
Workstation RAM (Peak RSS) 11.3 - 11.9 MB 60.8 - 63.3 MB 204.7 - 207.3 MB
Staged Filesystem Scan 31 - 40 ms 1.13 - 1.22 s 6.69 - 7.39 s
Historical Audit (Git Log) 52 - 58 ms 1.26 - 1.27 s 6.79 - 7.26 s
Dependency Overhead Zero Zero Zero
04 / Installation

Deployment and local setup

Crenox is statically compiled to run natively across Linux, macOS, and Android/Termux. It does not require Go, Python, or additional runtime setups on the workstation.

Option A: Pre-compiled Binaries (Recommended)

The fastest way to install Crenox without dependencies. Example for Linux/macOS systems:

# 1. Download the target binary (example for Linux AMD64)
wget https://github.com/crenoxhq/crenox/releases/download/v2.0.7/crenox-v2.0.7-linux-amd64 -O crenox

# 2. Add execution permissions
chmod +x crenox

# 3. Move to your binary path (/usr/local/bin)
sudo mv crenox /usr/local/bin/

# 4. Verify deployment
crenox version

Option B: Package Manager (Android / Termux)

If you are on Android/Termux, you can install Crenox easily in just two command lines via the Termux User Repository (TUR):

pkg install tur-repo
pkg install crenox

Option C: Go package installer

If you have Go installed on your path, fetch and compile the latest release directly:

go install github.com/crenoxhq/crenox/v2/cmd/crenox@latest

Option D: Compile from source

Clone the repository and build manually using our Makefile configurations:

git clone https://github.com/crenoxhq/crenox.git
cd crenox
make build
./dist/crenox version

Activating the Git Hook

Once the binary is in your path, initialize the pre-commit validator inside your target repository:

# Enable for the current repository
crenox install

# Enable globally for all future clones/initializations
crenox install --global
05 / Execution Specs

Workstation run modes and directives

Crenox supports several CLI run modes to fit different developer workflows, ranging from automated Git pre-commit hooks to manual, ad-hoc filesystem scans.

1. The Commit-Time Validator

Executed automatically by the Git pre-commit hook during the staging process. It reads the index, extracts staged diff blobs, and scans them in-memory. If findings are found, the commit is aborted.

crenox run

2. Local Directory Scan

Used to run manual ad-hoc audits on any directory or file tree recursively. Excellent for auditing directories before initial commits.

crenox scan -r ./path/to/project

3. Continuous Integration Export

Generate structured logs in JSON or SARIF format for integration into external pipelines and alert aggregators.

crenox scan -r -f sarif . > report.sarif
06 / Custom Tuning

Tailoring Crenox to your codebase

Crenox works out of the box with production-ready defaults. For enterprise teams or complex workspaces, behavior can be customized by placing a .crenox.yaml file in the repository root.

Custom API Signatures

You can define proprietary rules and compile them directly into the Aho-Corasick automaton alongside built-in rules, avoiding regex overhead:

# .crenox.yaml
custom_signatures:
  - id: "internal-api-key"
    description: "Proprietary internal service credential"
    prefix: "mycompany_key_"
    severity: "CRITICAL"
    regex: "^mycompany_key_[a-zA-Z0-9]{32}$"

Path & Extension Exclusions

Skip specific folders (e.g. vendored dependencies) and file types to minimize scan time:

exclude_paths:
  - "vendor/**"
  - "node_modules/**"
exclude_extensions:
  - ".png"
  - ".zip"

Global Allowlist Patterns

Prevent false positives for known mock/test keys used across multiple directories:

allowlist_patterns:
  - "AKIAIOSFODNN7EXAMPLE"   # Exact match
  - "sk_test_*"              # Stripe test keys
07 / Engineering Blog

Technical insights & system logs

Articles written by the developers covering the design, optimization, and security philosophy of Crenox.

JULY 13, 2026

Memory Recycling: sync.Pool Bounding on Multi-Gigabyte Scans

How version 2.0.7 introduces an 8 MB chunk-streaming ScanReader coupled with a global sync.Pool buffer cache. This limits absolute memory footprint to concurrent CPU worker counts, preventing heap allocation buildup and dropping peak RSS by up to 13x.

JULY 7, 2026

Flat DFA Engine: Obliterating allocations in the hot path

How version 2.0.5 implements a flat, contiguous, integer-indexed DFA table for Aho-Corasick matching. This reduces the Trie's active memory to 500 KB, bringing absolute peak RSS down to Go runtime limits (~11 MB) with zero scan heap allocations.

JULY 3, 2026

Memory Optimization: Compiling Rules directly to the Automaton

How version 2.0.4 achieves a 27% memory footprint reduction (RSS) by compiling user-defined signatures directly into the search trie transitions, removing runtime regex parsing overhead.

JUNE 28, 2026

The Fallacy of Post-Push Security Scanning

Why remote repository scanning is too late. A study on the rotation window of exposed cloud credentials and why preventing the commit locally is the only zero-exposure security posture.

08 / Other Projects

Other engineering masterpieces

Explore other security, networking, and system-level applications built in our network ecosystem.

NexusFi

A self-contained, 3-tier Micro-ISP and Local Cloud Ecosystem engineered to run natively on rooted Android devices. Connects L2 deauth daemons, OTG auto-telemetry, and HTB shaping.

NetAnatomy

An advanced network visualization and anatomical mapping tool for complex infrastructural topologies. Delivered via a diagnostic web dashboard.

Decisify

A sophisticated decision-making engine and prioritization framework designed for rapid choice analysis and logic modeling.

09 / Community & Feedback

Get in touch & discuss security

Crenox is an open-source security tool developed as an individual effort. We value feedback, rule suggestions, and reports from all users.

If you would like to report a security issue, propose a new credential signature, or ask questions about workstation deployments, please use our community channels: