Skip to content

ayushpalstadia-cloud/scan-secrets

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

scan-secrets

Scans git-tracked files for inlined API keys and secrets. No dependencies — pure Node.js.

Usage

Run directly in any git repo:

npx scan-secrets

Or install globally:

npm install -g scan-secrets
scan-secrets

Options

(no flags)    Scan git-tracked files only
--all         Scan all files including untracked
--strict      Exit code 1 if findings found — use in CI or pre-commit hooks
--json        Output findings as JSON

Pre-commit hook

Add to .git/hooks/pre-commit:

#!/bin/sh
npx scan-secrets --strict

What it detects

Pattern Examples
OpenRouter key sk-or-v1-...
OpenAI key sk-...
Anthropic key sk-ant-...
GitHub PAT github_pat_..., ghp_...
AWS keys AKIA...
JWT tokens eyJhbGci...
n8n encryption key "encryptionKey": "..."
Serper API key hex string next to SERPER_API_KEY
Stripe keys sk_live_..., pk_test_...
Telegram bot token 1234567890:ABC...
Generic bearer tokens Bearer <40+ char token>
Generic hex secrets api_key = "abc123..."

What it skips

  • ${ENV_VAR} references (not inlined)
  • process.env.* references
  • Comments and placeholder examples
  • Binary files, node_modules, .next, lockfiles

Fix guide

If secrets are found:

  1. Not yet committed: Move to .env.local and add to .gitignore
  2. Already committed: Rotate the key immediately, then remove from history using BFG Repo-Cleaner or git filter-repo

License

MIT

About

Scan git-tracked files for inlined API keys and secrets

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors