Question 1

What does this secret scanner detect?

Accepted Answer

30+ secret patterns including: AWS access keys (AKIA, ASIA), AWS secret keys, OpenAI API keys (sk-), Stripe secret keys (sk_live_, sk_test_), Stripe publishable keys (pk_live_), Supabase service role keys, Firebase Admin SDK credentials, GitHub personal access tokens (ghp_), GitHub fine-grained tokens (github_pat_), Slack tokens (xoxb/xoxp), Google API keys (AIzaSy), Azure client secrets, Anthropic API keys (sk-ant-), JWT tokens, PEM private keys, and more.

Question 2

Is my data safe? Does anything upload?

Accepted Answer

Nothing uploads. Ever. This tool runs 100% in your browser — the pattern matching happens in JavaScript on your device. Open DevTools Network tab while scanning: you'll see zero outbound requests. You can safely paste .env files, private keys, and production credentials (though ideally you'd rotate anything that's been exposed regardless).

Question 3

I found a secret. What do I do?

Accepted Answer

Three things, in order: (1) Rotate it immediately — generate a new key and update your deployments before removing the old one. (2) Remove it from wherever it's exposed (git history too: `git filter-repo` or BFG, since just deleting the file doesn't remove it from history). (3) Check logs for suspicious use of the old key — if it was in public code, assume it was harvested.

Question 4

Why can't the scanner find every possible secret?

Accepted Answer

Secrets vary in format. Well-known services (AWS, Stripe, OpenAI) use distinctive prefixes we can pattern-match reliably. Custom-generated random tokens (UUIDs, hex strings) look identical to non-secrets, so matching them produces too many false positives. We also detect high-entropy strings in suspicious contexts (e.g., assigned to variables named SECRET or API_KEY). For comprehensive coverage, run our full scanner on your deployed app.

Question 5

Should I use this on my git history?

Accepted Answer

This scanner works on pasted content. For git history, use `gitleaks` or `trufflehog` which walk your entire git log. The VAS scanner on deployed apps is complementary — it finds what's actually served to users now, which matters more than what's in history.

Question 6

What's the difference between the Supabase anon key and service role key?

Accepted Answer

The anon key is designed to be public — it ships in your frontend code and relies on RLS policies to enforce security. The service_role key bypasses ALL RLS and grants admin access to the database. If you see an anon key in a bundle, that's expected. If you see a service_role key in a bundle, that's a critical vulnerability — the attacker gets full database access regardless of your RLS setup.

Secret Scanner

Patterns this tool detects

Frequently Asked Questions

What does this secret scanner detect?

Is my data safe? Does anything upload?

I found a secret. What do I do?

What's the difference between Supabase anon and service_role keys?

Why can't the scanner find every possible secret?

More Free Tools