About Secrets Scanner

Scan text/code for leaked API keys, tokens, and credentials. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

• Pre-commit check for accidentally pasted API keys
• Audit a log file before sharing publicly
• Scrub env files before committing to version control
• Scan dependency READMEs before merging third-party code

Tips

• Paste entire files — it scans line by line
• Detects AWS keys, GitHub tokens, Stripe keys, JWTs, and more
• Results show severity and line numbers

Fun Facts

• GitHub scans over 200 million commits per year for leaked secrets. In 2023, they detected over 100 million leaked credentials in public repositories.
• The average cost of a leaked credential that gets exploited is $4.45 million according to IBM's 2023 Cost of a Data Breach report.
• AWS access keys are the most commonly leaked secret type on GitHub, followed by Google API keys and Slack webhooks.

FAQ

What patterns does it detect?

50+ known patterns: AWS access keys, GitHub tokens, Slack webhooks, Stripe keys, private keys, JWTs, OpenAI keys, etc. Uses the same regex set as trufflehog.

False positives?

Common. Test credit card numbers, example API keys in docs, or UUIDs that match an ID pattern. The tool notes confidence levels; verify before panicking.

Should I use this in CI?

For quick pre-commit checks yes. For CI, use trufflehog, gitleaks, or similar — they integrate better and maintain pattern lists.

Does it scan image files?

No — text only. For image-embedded secrets (screenshots of keys), OCR first, then scan the extracted text.