Secret Leak Scanner
Scan code for leaked API keys, tokens and credentials — entirely in your browser.
3 findings
| Line | Rule | Severity | Match |
|---|---|---|---|
| 2 | AWS access keys | critical | AKIA…MPLE |
| 3 | Anthropic keys | critical | sk-a…A4sZ |
| 4 | High-entropy token | medium | DB_P…iL6o |
Fix: rotate the credential at the provider first, then scrub git history (git filter-repo / BFG), then move secrets to a vault or environment injection.
Add this scan to pre-commit
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.2
hooks:
- id: gitleaks
# then: pip install pre-commit && pre-commit installHow it works
Paste any code, diff or config file and this scanner checks it for leaked credentials — entirely inside your browser. Nothing you paste is transmitted, stored or logged anywhere; the rules run as plain JavaScript against the text in the box. That privacy property is the whole point: a secret scanner that uploads your secrets to scan them would be solving the problem by causing it.
Detection works in two layers. The first is a set of pattern rules built on the prefixes vendors deliberately stamp onto credentials so they can be recognized: AWS access keys start with AKIA, Anthropic keys with sk-ant-, OpenAI keys with sk-, GitHub personal access tokens with ghp_, JWTs with eyJ, and PEM private keys announce themselves with a BEGIN PRIVATE KEY banner. These rules are precise — a match is almost certainly a real credential. The second layer is statistical: any token of twenty or more characters whose Shannon entropy exceeds 4.5 bits per character is flagged as a possible generated secret, because human-written identifiers and English words are far more predictable than random key material.
Findings are listed with the line number, a severity level, and a masked preview showing only the first and last four characters — enough to identify which credential leaked without re-displaying it in full. Each ruleset can be toggled independently, so you can silence the noisier entropy heuristic when scanning files full of hashes or base64 assets. A clean scan shows a quiet confirmation rather than confetti; absence of findings is the expected state, not an achievement.
The right long-term fix is to make this scan automatic. The pre-commit snippet below the results wires gitleaks into your repository so every commit is checked before it enters history, where removal is cheap. And remember the cardinal rule when something is found: rotate the credential first, rewrite git history second — a scrubbed history does nothing if the key itself still works.
Frequently asked questions
How does the scanner detect secrets?
Two complementary methods run locally in your browser. Pattern rules match the documented prefixes vendors stamp on credentials — AKIA for AWS access keys, sk-ant- for Anthropic, ghp_ for GitHub tokens, eyJ for JWTs, and PEM private-key block headers. The entropy rule catches everything else: any token of 20+ characters whose Shannon entropy exceeds 4.5 bits per character looks random enough to be a generated secret rather than ordinary code.
Will I get false positives?
The entropy rule will occasionally flag hashes, base64-encoded assets, lockfile integrity strings and minified identifiers — anything long and random-looking. That is by design: for a pre-commit safety net, a false positive costs you five seconds of review while a false negative costs you a credential rotation and an incident writeup. Prefix-based rules are far more precise; treat entropy findings as prompts to look, not verdicts.
I found a leaked key — what are the exact rotation steps?
Rotate first, clean up second. Generate a replacement credential in the provider's console, deploy it to your secret manager, verify services pick it up, then revoke the leaked key. Only then scrub git history (git filter-repo or BFG) — history rewriting without revocation is security theater, because anyone who cloned or forked before the rewrite still has the secret. Finally, check provider audit logs for use of the leaked key.
Is my code actually private when I paste it here?
Yes. Every regex and entropy calculation runs in your browser's JavaScript engine — open devtools' network tab and you'll see zero requests fire as you type. Nothing is uploaded, logged or stored; closing the tab destroys the text. This matters more for a secret scanner than any other tool category, since the input is by definition the most sensitive text you handle.
How do I prevent leaks before they reach a commit?
Add a pre-commit hook so scanning happens automatically where it is cheapest — before the secret ever enters history. The snippet below the results wires gitleaks into a pre-commit config, which mirrors and extends the rules used here. Pair it with a CI-side scan as a second net, and keep real credentials in a secret manager with per-environment injection so they never appear in tracked files at all.
Built by FORG — AI cost observability for agentic coding. Free tools, no signup, nothing leaves your browser.
Learn about FORG