How to use the Secrets Scanner
Paste any code, configuration, log, .env file, JSON payload, HTTP headers, HAR snippet, XML / SOAP message, or URL with query parameters, pick a preset, and click Scan. The Secrets Scanner detects AWS / GCP / Azure credentials, GitHub / GitLab tokens, Stripe / OpenAI / Slack / SendGrid / Twilio keys, JWTs, Bearer tokens, private keys, database connection strings, cookies, and high-entropy strings — then applies your chosen redaction strategy and produces a sanitized copy. Useful before committing, sharing logs, pasting into chat, or attaching files to a ticket.
How to use it
- Paste the content you want to share (code, log, JSON,
.env, headers, URL, HAR snippet).
- Pick a preset (commit safety, ticket / PR, LLM-prompt safe, log share).
- Pick a redaction mode: replace, mask, remove, consistent token, hash, or format-preserving mask.
- Click Scan. Review the findings — type, severity, and location.
- Toggle off false positives, copy or download the sanitized output, and hand off to another tool if needed.
- If a real secret was detected, rotate it immediately at the provider — detection is not remediation.
When to use it
- Before pasting a config or log into a Slack / Teams / Discord channel.
- Before attaching a file to a Jira / Linear / GitHub ticket.
- Before sharing a sample with a teammate, vendor, or support engineer.
- Before sending a snippet to an AI assistant (ChatGPT, Claude, Copilot).
- Pre-commit: paste the diff to check for accidental tokens.
- After an incident: scan the leaked artifact to confirm what was exposed.
What it detects
- Authentication & OAuth tokens: JWT, Bearer, Basic auth, access / refresh / id tokens, client_secret, session and CSRF tokens.
- Cloud credentials: AWS access key ID / secret / session token, Azure connection strings, Google API keys, GCP service-account private keys.
- Provider-specific keys: OpenAI, GitHub (classic & fine-grained), GitLab, Slack, Stripe, SendGrid, Twilio, Mailgun, NPM, PyPI, Datadog, Sentry DSN, Cloudflare-like, Heroku, Docker.
- Passwords: password / passwd / pwd / db_password / smtp_password / keystore_password assignments in code or config.
- Private keys & cryptographic material: PEM-encoded private keys (RSA / EC / DSA / OpenSSH / PGP), SSH key payloads.
- Connection strings: PostgreSQL, MySQL, MongoDB, Redis, AMQP, SMTP, JDBC, S3 / Azure storage with credentials.
- Cookies & sessions: Cookie / Set-Cookie headers, JSESSIONID, PHPSESSID, connect.sid, remember_token.
- URL query secrets:
access_token, id_token, refresh_token, code, client_secret, api_key, token, sig, signature, X-Amz-Signature, signed URLs.
- Unknown high-entropy strings: opaque base64 / hex / random-looking values with key-name context boosts.
How it redacts
- Replace with a typed placeholder (
[AWS_ACCESS_KEY_REDACTED]).
- Mask while preserving a small prefix and suffix (
sk_live_****3456).
- Remove the value entirely (keys / headers stay intact).
- Consistent token — the same secret maps to
token_001 within the session, so logs stay correlatable without exposing real values.
- Hash the value with a local non-crypto digest. Treat as fingerprint only — hashing low-entropy values is reversible by guessing.
- Format-preserving mask — keeps provider prefixes (
AKIA…EXAMPLE) or URL structure where useful.
Format-aware scanning
JSON values are scanned and the output is re-serialized as valid JSON. .env / properties keep keys and comments while values are masked. HTTP headers preserve names; Set-Cookie values are masked while attributes are kept. URLs keep host / path / non-secret parameters and only mask secret query values. HAR snippets, XML/SOAP, and YAML fall back to text-level redaction with structure preserved on a best-effort basis — for full HAR cleanup, use the HAR Sanitizer.
What to do when a real secret is found
- Rotate or revoke the secret immediately at the provider — detection alone is not remediation.
- Check audit / access logs for suspicious use.
- If the secret was committed to Git, rewrite history (e.g.
git filter-repo) and force-push — and assume the secret is compromised.
- Move secrets to a secret manager (AWS Secrets Manager, GCP Secret Manager, Vault, 1Password, etc.) and inject them as environment variables at runtime.
- Scope credentials minimally and prefer short-lived tokens.
FAQ
- Does this upload my data? No. Detection, redaction, tokenization, hashing, reports, and handoffs all happen in your browser. There are no network calls, no AI calls, and no provider validation.
- Is this a replacement for GitHub secret scanning or enterprise DLP? No. This is a pre-share developer helper. Use it before pasting into tickets, chat, AI prompts, or screenshots — not as a compliance control.
- Why are there false positives? Pattern-based detection trades coverage for noise. UUIDs, hashes, base64 blobs, and request IDs can trip entropy heuristics. Use the allowlist or tune the entropy threshold.
- Why is
client_id not flagged but client_secret is? Client IDs are usually public identifiers; client secrets are credentials and must never be shared.
- Can it scan .env files without breaking them? Yes. Keys and comments stay; only values are masked / removed / tokenized.
- Can I add custom secret patterns? Yes — add a regex under "Custom rules & allowlist". Risky / invalid regexes are blocked.
Runs locally in your browser. No uploads. No analytics on pasted content. Pattern-based scanning can miss secrets and produce false positives — always review findings before sharing.
Related guides
