Scans git-tracked files for inlined API keys and secrets. No dependencies — pure Node.js.
Run directly in any git repo:
npx scan-secretsOr install globally:
npm install -g scan-secrets
scan-secrets(no flags) Scan git-tracked files only
--all Scan all files including untracked
--strict Exit code 1 if findings found — use in CI or pre-commit hooks
--json Output findings as JSON
Add to .git/hooks/pre-commit:
#!/bin/sh
npx scan-secrets --strict| Pattern | Examples |
|---|---|
| OpenRouter key | sk-or-v1-... |
| OpenAI key | sk-... |
| Anthropic key | sk-ant-... |
| GitHub PAT | github_pat_..., ghp_... |
| AWS keys | AKIA... |
| JWT tokens | eyJhbGci... |
| n8n encryption key | "encryptionKey": "..." |
| Serper API key | hex string next to SERPER_API_KEY |
| Stripe keys | sk_live_..., pk_test_... |
| Telegram bot token | 1234567890:ABC... |
| Generic bearer tokens | Bearer <40+ char token> |
| Generic hex secrets | api_key = "abc123..." |
${ENV_VAR}references (not inlined)process.env.*references- Comments and placeholder examples
- Binary files,
node_modules,.next, lockfiles
If secrets are found:
- Not yet committed: Move to
.env.localand add to.gitignore - Already committed: Rotate the key immediately, then remove from history using BFG Repo-Cleaner or
git filter-repo
MIT