Secrets Scanner Simulator

Yes, the secrets scanner operates 100% client-side in your browser. Your code and any detected secrets are never transmitted to any server. This makes it safe for scanning sensitive production configurations and proprietary code without any privacy concerns.

Each finding includes specific remediation steps for that type of secret. Generally, you should immediately rotate or revoke the exposed credential, review access logs for unauthorized usage, update your code to use environment variables or a secrets manager, and add the file to your gitignore if appropriate.

The tool allows you to mark any finding as a false positive, which removes it from the active results. This is useful for test credentials, placeholder values, or strings that match patterns but are not actual secrets. You can filter the results view to show or hide false positives.

Yes, the tool supports custom patterns. You can define your own regex patterns to detect organization-specific API keys, internal tokens, or any credential format unique to your environment. Custom patterns can be assigned a severity level and remediation instructions.

Scan results can be exported in multiple formats including JSON, CSV, and plain text reports. The exports include all findings with their severity, location, remediation steps, and context. You can use these reports for security audits, documentation, or integration with other tools.

Critical severity indicates high-value credentials like production API keys or private keys that could cause significant damage if compromised. High severity covers access tokens and service credentials. Medium severity includes webhook URLs and less sensitive tokens. Low severity is for test keys or informational findings.