Secret Scanner
Scan your code for accidentally exposed secrets, API keys, tokens, private keys, database URLs, and credentials before they leak.
Get the CLI Tool
Run the secret scanner locally as an MCP server, or try it online below.
npx @clinetools/secret-scanner
- 40+ secret patterns — AWS, GitHub, OpenAI, Stripe, and more
- Line-number reporting for every finding
- Remediation advice per secret type
- AWS, GitHub, OpenAI, Stripe key support
- Zero config — just run with npx
How to Use It
Three ways to scan for exposed secrets — pick the one that fits your workflow.
Try Online
Use the interactive demo below to paste code and scan for secrets — no install needed.
Use via CLI
Run as a local MCP server and connect any MCP-compatible client.
Add to Cline / Claude Code
Add the tool to your MCP settings for instant access from your AI assistant.
MCP Client Configuration
{
"mcpServers": {
"secret-scanner": {
"command": "npx",
"args": ["@clinetools/secret-scanner"]
}
}
}
Example: scan_secrets — clean code
// Call the tool with source code:
scan_secrets({ code: "APP_NAME=my-app\nPORT=3000\nLOG_LEVEL=info" })
// Output:
{
"total_secrets": 0,
"findings": [],
"summary": "No secrets detected. Your code looks clean."
}
Example: scan_secrets — leaked secrets (4 findings)
// Call with code containing secrets:
scan_secrets({ code: "AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE\n..." })
// Output:
{
"total_secrets": 4,
"findings": [
{
"type": "AWS Access Key ID",
"severity": "critical",
"line": 1,
"match": "AKIAI************MPLE",
"fix": "Deactivate in AWS IAM console. Create a new key pair."
},
{
"type": "AWS Secret Access Key",
"severity": "critical",
"line": 2,
"match": "wJalrX********************LEKEY",
"fix": "Rotate in IAM immediately. Use IAM roles instead."
},
{
"type": "GitHub Token",
"severity": "critical",
"line": 4,
"match": "ghp_AB**************************f1234",
"fix": "Revoke at GitHub Settings > Personal access tokens."
},
{
"type": "OpenAI API Key",
"severity": "critical",
"line": 5,
"match": "sk-1234********************5678",
"fix": "Rotate at platform.openai.com/api-keys."
}
]
}
Try It Online
Paste code below and scan for exposed secrets, API keys, tokens, and credentials.
Paste Code to Scan
Source code, config files, .env files, or any text
Paste code and click Scan for Secrets to detect exposed credentials.
How to Fix Exposed Secrets
Found a leaked secret? Follow these steps to remediate and prevent future leaks.
Rotate Immediately
Any committed secret should be considered compromised. Rotate the credential immediately, even in private repos. Git history preserves all previous values.
Use Environment Variables
Move secrets to environment variables. Reference them as process.env.API_KEY rather than hardcoding. Never commit .env files.
Use a Secrets Manager
Use AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager for production secrets with access controls and audit logging.
Add .gitignore Rules
Add .env, *.pem, *.key to .gitignore. Use git-secrets or pre-commit hooks to block secrets from being committed.
Scrub Git History
Use git filter-branch or BFG Repo-Cleaner to remove secrets from all history. Force-push and have collaborators re-clone.
Automate CI/CD Detection
Add trufflehog, gitleaks, or detect-secrets to your CI/CD pipeline. GitHub also offers built-in secret scanning.
Need Continuous Scanning?
Our Pro plan includes automated secret scanning for your entire codebase with CI/CD integration.
View Plans