diff --git a/pkgs/tools/security/secretscanner/default.nix b/pkgs/tools/security/secretscanner/default.nix
new file mode 100644
index 00000000000..93d440009f3
--- /dev/null
+++ b/pkgs/tools/security/secretscanner/default.nix
@@ -0,0 +1,37 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, hyperscan
+, pkg-config
+}:
+
+buildGoModule rec {
+  pname = "secretscanner";
+  version = "20210214-${lib.strings.substring 0 7 rev}";
+  rev = "42a38f9351352bf6240016b5b93d971be35cad46";
+
+  src = fetchFromGitHub {
+    owner = "deepfence";
+    repo = "SecretScanner";
+    inherit rev;
+    sha256 = "0yga71f7bx5a3hj5agr88pd7j8jnxbwqm241fhrvv8ic4sx0mawg";
+  };
+
+  vendorSha256 = "0b7qa83iqnigihgwlqsxi28n7d9h0dk3wx1bqvhn4k01483cipsd";
+
+  nativeBuildInputs = [ pkg-config ];
+
+  buildInputs = [ hyperscan ];
+
+  postInstall = ''
+    mv $out/bin/SecretScanner $out/bin/$pname
+  '';
+
+  meta = with lib; {
+    description = "Tool to find secrets and passwords in container images and file systems";
+    homepage = "https://github.com/deepfence/SecretScanner";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
+
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 86cefd9f946..a95160388cf 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -24776,6 +24776,8 @@ in
 
   seafile-client = libsForQt5.callPackage ../applications/networking/seafile-client { };
 
+  secretscanner = callPackage ../tools/security/secretscanner { };
+
   sent = callPackage ../applications/misc/sent { };
 
   seq24 = callPackage ../applications/audio/seq24 { };