Secrets Scanner
Git secrets scanner online. Detect API keys, tokens, passwords in code. Client-side scanning—find secrets before committing.
🔒 100% client-side. Your code never leaves your browser.
Paste Code, .env File, or Config
Patterns We Check
✅ .env files (KEY=value) AWS Keys GitHub Tokens Stripe Keys Database URLs JWT Tokens Private Keys Generic Secrets
🛡️ How to Protect Secrets
- • Add
.envto.gitignore - • Use environment variables:
process.env.API_KEY - • Use secret managers (AWS Secrets Manager, Vault, 1Password)
- • Rotate exposed secrets immediately
Features
- Scan text for common API keys (AWS, Stripe, Google, etc.)
- Regex-based detection patterns
- Client-side only (secrets never leave browser)
- Risk level assessment
Common Use Cases
- Sanitizing code snippets before sharing online
- Checking a file before committing to a public repo
- Auditing pasted configuration
Secret Leaks
Accidentally committing secrets (API keys, passwords, tokens) to git is a major security risk. Once pushed, it is in the history forever, even if you delete the file later. You must rotate compromised keys immediately.
Examples
Invalid - AWS Key
AKIAIOSFODNN7EXAMPLE Valid - Safe Variable
const apiKey = process.env.API_KEYFrequently Asked Questions
Does this remove them?
No, this tool detects them so you can remove or mock them manually.
Is it safe to paste here?
Yes, this tool runs entirely in your browser. No data is sent to any server.
💡 Tips
- Use `.env` files and add them to `.gitignore`. Never hardcode secrets.