Secrets Scanner

Secrets Scanner

Git secrets scanner online. Detect API keys, tokens, passwords in code. Client-side scanning—find secrets before committing.

🔒 100% client-side. Your code never leaves your browser.

Paste Code, .env File, or Config

Patterns We Check

✅ .env files (KEY=value) AWS Keys GitHub Tokens Stripe Keys Database URLs JWT Tokens Private Keys Generic Secrets

🛡️ How to Protect Secrets

  • • Add .env to .gitignore
  • • Use environment variables: process.env.API_KEY
  • • Use secret managers (AWS Secrets Manager, Vault, 1Password)
  • • Rotate exposed secrets immediately

Features

  • Scan text for common API keys (AWS, Stripe, Google, etc.)
  • Regex-based detection patterns
  • Client-side only (secrets never leave browser)
  • Risk level assessment

Common Use Cases

  • Sanitizing code snippets before sharing online
  • Checking a file before committing to a public repo
  • Auditing pasted configuration

Secret Leaks

Accidentally committing secrets (API keys, passwords, tokens) to git is a major security risk. Once pushed, it is in the history forever, even if you delete the file later. You must rotate compromised keys immediately.

Examples

Invalid - AWS Key
AKIAIOSFODNN7EXAMPLE
Valid - Safe Variable
const apiKey = process.env.API_KEY

Frequently Asked Questions

Does this remove them?
No, this tool detects them so you can remove or mock them manually.
Is it safe to paste here?
Yes, this tool runs entirely in your browser. No data is sent to any server.

💡 Tips

  • Use `.env` files and add them to `.gitignore`. Never hardcode secrets.