Code Secret Scanner
Detect leaked API keys, passwords, tokens, private keys, and connection strings in your code. Paste any code snippet and scan for potential secrets using regex pattern matching. Everything runs in your browser — your code is never sent anywhere.
How the Code Secret Scanner Works
This tool scans your code using a collection of regular expression patterns designed to detect common types of leaked credentials. It checks for API keys from major providers like AWS, OpenAI, GitHub, and Google. It detects hardcoded passwords, database connection strings, private keys, JWT tokens, and generic secret patterns. Each finding is classified by severity and includes specific remediation recommendations.
Detection Categories
Critical: Private keys, database connection strings
High: Provider API keys (AWS, OpenAI, GitHub, Google)
Medium: Hardcoded passwords, tokens, secrets
Low: Generic key/secret/token variable assignments
The scanner uses pattern matching — it may produce false positives for example code or test data. Always review findings in context before taking action.
Why Secret Scanning Matters
Leaked credentials in source code are one of the most common security vulnerabilities. Research shows that millions of secrets are leaked on GitHub alone every year. A single exposed API key can lead to unauthorized access, data breaches, and significant financial damage. Companies like Uber, Samsung, and Toyota have all experienced major incidents caused by hardcoded credentials found in source code repositories.
Common Types of Leaked Secrets
AWS access keys (AKIA prefix) grant programmatic access to cloud infrastructure. OpenAI API keys (sk- prefix) can rack up expensive API charges. GitHub personal access tokens (ghp_ prefix) provide repository access. Database connection strings contain hostnames, usernames, and passwords in a single line. Private keys enable SSH access or decrypt sensitive communications. Each of these can cause serious damage if exposed publicly.
Best Practices for Secret Management
Never hardcode secrets in source files. Use environment variables loaded from .env files that are excluded from version control via .gitignore. For production, use dedicated secret managers like AWS Secrets Manager, HashiCorp Vault, or platform-specific secret storage. Implement pre-commit hooks that scan for secrets before code is committed. Rotate any secret that has been accidentally committed to a repository, even if the commit is later deleted — git history preserves the exposure.
What to Do When Secrets Are Found
Immediately revoke and rotate the exposed credential. Remove it from source code and replace with an environment variable reference. Check access logs for any unauthorized usage during the exposure period. Add the credential pattern to your .gitignore or pre-commit hooks to prevent future leaks. Consider using tools like git-secrets or gitleaks as part of your CI/CD pipeline for automated detection.