Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.
Prevent accidental secret exposure in your codebase.
When I Activate
✅ Before git commits
✅ Files modified/saved
✅ User mentions secrets, keys, or credentials
✅ .env files changed
✅ Configuration files modified
What I Detect
API Keys & Tokens
AWS access keys (AKIA...)
Stripe API keys (sk_live_..., pk_live_...)
GitHub tokens (ghp_...)
Google API keys
OAuth tokens
JWT secrets
Database Credentials
Database connection strings
MySQL/PostgreSQL passwords
MongoDB connection URIs
Redis passwords
Private Keys
SSH private keys
RSA/DSA keys
PGP/GPG keys
SSL certificates
Authentication Secrets
Password variables
Auth tokens
Session secrets
Encryption keys
Alert Examples
API Key Detection
// You type:
const apiKey = 'sk_live_1234567890abcdef';
// I immediately alert:
🚨 CRITICAL: Exposed Stripe API key detected!
📍 File: config.js, Line 3
🔧 Fix: Use environment variables
const apiKey = process.env.STRIPE_API_KEY;
📖 Add to .gitignore: .env
AWS Credentials
# You type:
aws_access_key = "AKIAIOSFODNN7EXAMPLE"
# I alert:
🚨 CRITICAL: AWS access key exposed!
📍 File: aws_config.py, Line 1
🔧 Fix: Use AWS credentials file or environment variables
aws_access_key = os.getenv("AWS_ACCESS_KEY_ID")
📖 Never commit AWS credentials
Database Password
# You type in docker-compose.yml:
environment:
DB_PASSWORD: "mySecretPassword123"
# I alert:
🚨 CRITICAL: Database password in configuration file!
📍 File: docker-compose.yml, Line 5
🔧 Fix: Use .env file
DB_PASSWORD: ${DB_PASSWORD}
📖 Add .env to .gitignore
Detection Patterns
Pattern Types
High Confidence:
Known API key formats (Stripe, AWS, etc.)
Private key headers
JWT tokens
Connection strings with credentials
Medium Confidence:
Variables named "password", "secret", "key"
Base64 encoded strings in sensitive contexts
Long random strings in assignments
Low Confidence (Flagged for Review):
Generic secret patterns
Potential credentials in comments
Git Integration
Pre-Commit Protection
# Before commit, I scan:
git add .
git commit
# I block if secrets found:
🚨 CRITICAL: Cannot commit - secrets detected!
📍 3 secrets found:
- config.js:12 - API key
- .env:5 - Database password (in gitignore - OK)
- auth.js:45 - JWT secret
❌ Commit blocked - remove secrets first
.gitignore Validation
I check if sensitive files are in .gitignore:
✅ .env - In .gitignore (good)
⚠️ config/secrets.json - NOT in .gitignore (add it!)
✅ .aws/credentials - In .gitignore (good)
False Positive Handling
Example Files
// I understand these are examples:
// Example: const apiKey = 'your_api_key_here';
// TODO: Add your API key from environment
Test Files
// Test fixtures are OK (but flagged for review):
const mockApiKey = 'sk_test_1234567890abcdef'; // ✅ Test key
Documentation
<!-- Documentation examples are flagged but low priority -->
Set your API key: `export API_KEY=your_key_here`
Relationship with security-auditor
secret-scanner (me): Exposed secrets and credentials
security-auditor: Code vulnerability patterns
Together
secret-scanner: Finds hardcoded API key
security-auditor: Finds how the key is used insecurely
Combined: Complete security picture