Does it find all secrets?

No scanner catches everything. This tool covers 19+ high-confidence patterns including AWS, GitHub, Stripe, Google, Slack, SendGrid, database URLs, PEM keys, and hardcoded credentials.

What should I do if a real secret is found?

Rotate it immediately — even if the commit was never pushed publicly. Treat it as compromised. Then move it to environment variables or a secrets manager like Vault, AWS Secrets Manager, or Doppler.

Free Tool

Secret & Credential Scanner

Paste code, config files, or environment files to detect exposed secrets. Scans for AWS keys, GitHub tokens, Stripe keys, database connection strings, hardcoded passwords and more. Nothing leaves your browser.

Paste code or config

🔒 100% client-side — nothing is sent to any server

🔍

Paste code and click Scan

Detects 19+ secret patterns including AWS keys, GitHub tokens, Stripe keys, database URLs, and hardcoded passwords.

What gets detected

🟠

AWS Access Key ID AKIA… pattern

Critical

🐙

GitHub Tokens ghp_ / gho_ / github_pat_

Critical

💳

Stripe Secret Key sk_live_ / sk_test_

Critical

🔒

PEM Private Key BEGIN PRIVATE KEY

Critical

🗄️

Database URLs postgres:// mongodb:// mysql://

Critical

💬

Slack User Token xoxp- pattern

Critical

💬

Slack Bot/App Token xoxb- / xapp- pattern

High

🌐

Google API Key AIza… pattern

High

📧

SendGrid API Key SG.… pattern

High

🔐

Hardcoded Password password = "…"

High

🔑

Hardcoded API Key api_key = "…"

High

🤫

Hardcoded Secret secret = "…"

High

📦

NPM Auth Token _authToken = …

High

⚙️

GitHub Actions Token ghs_ pattern

High

💳

Stripe Publishable Key pk_live_ / pk_test_

Medium

🎟️

JWT Token eyJ… format

Medium

Common questions

No. All scanning runs entirely in your browser using JavaScript regex patterns. Nothing you paste is transmitted anywhere — not even anonymised analytics.

Pattern-based scanners produce false positives. Example values in documentation, test fixtures, or placeholder strings can match the patterns. Always verify each finding in context.

No. This tool covers 19+ high-confidence patterns — AWS, GitHub, Stripe, Google, Slack, SendGrid, database URLs, PEM keys, and hardcoded credentials. Entropy-based scanning (which finds random-looking strings without a known prefix) is not included.

Rotate it immediately — even if the commit was never pushed to a public repo. Treat it as compromised from the moment it was written. Then move it to environment variables or a secrets manager like Vault, AWS Secrets Manager, or Doppler.

This is a browser-based tool. For CI pipelines, look at truffleHog, gitleaks, or detect-secrets — they are purpose-built for automated scanning of git history and file trees.