Scan code for exposed secrets, API keys, and credentials. Detect hardcoded passwords and sensitive data leaks.
Secrets scanning detects sensitive credentials — API keys, passwords, tokens, certificates, and connection strings — that have been accidentally committed to source code repositories, configuration files, or documentation. Hardcoded secrets are one of the most common and easily exploitable security vulnerabilities, providing attackers with direct access to databases, cloud services, APIs, and internal systems.
Research consistently shows that thousands of new secrets are exposed in public repositories daily. GitHub reports detecting and revoking millions of secrets per year through its push protection feature. Private repositories are also at risk — leaked or stolen repositories expose every secret ever committed.
| Secret Type | Pattern Example | Risk if Exposed |
|---|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} | Full AWS account access |
| GitHub Token | ghp_[a-zA-Z0-9]{36} | Repository and organization access |
| Slack Webhook | https://hooks.slack.com/services/T.../B.../... | Post messages to Slack channels |
| Database URL | postgres://user:pass@host/db | Direct database access |
| JWT Secret | Arbitrary string in JWT_SECRET= | Forge authentication tokens |
| Private Key | -----BEGIN RSA PRIVATE KEY----- | Impersonate servers, decrypt data |
| Stripe Key | sk_live_[a-zA-Z0-9]{24} | Process payments, access customer data |
The tool detects over 50 types of secrets including AWS access keys, API keys for services like GitHub, Stripe, SendGrid, and Slack, database connection strings, private keys (RSA, SSH, PGP), JWT tokens, and hardcoded passwords. It uses pattern matching to identify credentials from major cloud providers and popular services.
Yes, the secrets scanner operates 100% client-side in your browser. Your code and any detected secrets are never transmitted to any server. This makes it safe for scanning sensitive production configurations and proprietary code without any privacy concerns.
Each finding includes specific remediation steps for that type of secret. Generally, you should immediately rotate or revoke the exposed credential, review access logs for unauthorized usage, update your code to use environment variables or a secrets manager, and add the file to your gitignore if appropriate.
The tool allows you to mark any finding as a false positive, which removes it from the active results. This is useful for test credentials, placeholder values, or strings that match patterns but are not actual secrets. You can filter the results view to show or hide false positives.
Yes, the tool supports custom patterns. You can define your own regex patterns to detect organization-specific API keys, internal tokens, or any credential format unique to your environment. Custom patterns can be assigned a severity level and remediation instructions.
Scan results can be exported in multiple formats including JSON, CSV, and plain text reports. The exports include all findings with their severity, location, remediation steps, and context. You can use these reports for security audits, documentation, or integration with other tools.
Critical severity indicates high-value credentials like production API keys or private keys that could cause significant damage if compromised. High severity covers access tokens and service credentials. Medium severity includes webhook URLs and less sensitive tokens. Low severity is for test keys or informational findings.