Secret Scanner for Code and Config
Paste any code, config file or log and instantly find leaked credentials. Secret Scanner matches well-known patterns for AWS, GitHub, Stripe, Google, Slack, npm, SendGrid, JWTs and private keys, all in your browser. Every match is redacted so nothing sensitive is shown in full.
How to scan for leaked secrets
- Paste your code, config or log into the editor.
- Review the findings list: each shows the secret type, severity and line.
- Rotate any real key that was leaked, then remove it from source control.
Examples
Catch a hard-coded AWS key
const aws_key = "AKIAIOSFODNN7EXAMPLE";
AWS Access Key ID (high) on line 1, match redacted as AKIA...MPLE
Frequently asked questions
Is my code uploaded anywhere?
No. Scanning happens 100% in your browser using JavaScript. Your code, keys and config never leave your device and nothing is sent to a server.
What kinds of secrets does it detect?
Well-known credential formats: AWS access keys, GitHub and npm tokens, Stripe secret keys, Google API keys and OAuth tokens, Slack and Twilio tokens, SendGrid keys, JSON Web Tokens, private key blocks, and generic key/secret/password assignments.
Can it miss secrets or flag false positives?
Yes. It relies on signature patterns, so custom or obfuscated secrets may be missed, and a random string that matches a known shape can be flagged. Treat it as a fast first pass, not proof a file is clean.
A real secret showed up. What should I do?
Treat it as compromised. Rotate or revoke the key immediately at the provider, then remove it from your code and history (committed secrets stay in git history until rewritten).
Are the matches shown in full?
No. Every detected value is redacted to its first and last four characters (shorter values are fully masked), so you can recognize the secret without exposing it on screen.
Related tools
Security Headers Analyzer
Paste raw HTTP response headers and get a graded report of your security headers, with severity ratings and copy-paste fixes. Runs in your browser.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.
Hash Identifier
Identify the likely hash algorithm of a string by its length, character set and prefix. Detects MD5, SHA, bcrypt and more. Runs in your browser.
JWT Decoder
Decode a JSON Web Token to read its header and payload claims. Shows exp, iat and nbf as dates. Runs in your browser. No signature check.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.