Code Secret Scanner

Scan code files for hardcoded secrets before sharing with AI

Paste code snippets and scan for hardcoded secrets, passwords, connection strings, private keys, and environment variable references that should not be shared with external AI coding assistants. Runs entirely in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Does my code leave my browser?

No. All pattern matching runs locally in your browser using JavaScript. Nothing is uploaded, logged, or sent to any server, which is exactly why it is safe to scan secrets here.

Code secret scanner

Before you paste code into ChatGPT, Claude, Copilot Chat, or any other external assistant, it pays to check that you are not handing over live credentials. The code secret scanner matches your snippet against a library of patterns for API keys, private keys, passwords, tokens, and connection strings, and flags anything that looks sensitive — all without your code ever leaving the browser.

How it works

The scanner runs a set of regular expressions over each line of the text you paste. Some patterns are precise (an AWS access key ID, an OpenAI sk- key, a PEM private-key header); others are heuristic (a long high-entropy string, or an assignment to a variable whose name contains secret, password, token, or api_key). Every match is reported with the line number, the matched fragment, and a severity so you can quickly decide what to redact. Because everything is local JavaScript, scanning a file full of real secrets here is safe.

What it detects

Pattern typeExamples
Cloud provider keysAWS access key IDs, GCP service-account JSON fragments
AI / API tokensOpenAI sk- keys, Anthropic keys, GitHub Personal Access Tokens
Private key blocksPEM headers such as BEGIN RSA PRIVATE KEY
Connection stringsDatabase URLs containing passwords, SMTP credentials
Generic high-entropy stringsLong alphanumeric values assigned to sensitive variable names
Environment variable namesVariables named password, secret, token, api_key

Precise patterns are flagged as HIGH severity; heuristic matches are MEDIUM so you can judge context yourself.

A common scenario

You are debugging a backend service and want to ask an AI assistant why a database query is slow. You paste the entire service file — and buried on line 87 is:

const db = new Client({ connectionString: "postgres://admin:[email protected]/app" });

The scanner catches the connection string, highlights line 87, and suggests replacing the credential with a placeholder before pasting. The AI still gets all the context it needs; your production database stays safe.

Tips and notes

  • Redact, do not just delete. Replace a secret with a placeholder like <REDACTED> so the AI still understands the code structure.
  • Rotate anything that already leaked. If a key was pasted somewhere untrusted, the only safe fix is to revoke and reissue it.
  • A clean scan is not a guarantee. Custom or obfuscated secrets can slip past pattern matching — review the code yourself too.
  • Prefer environment variables. The cleanest fix is to never hardcode the secret in the first place; reference it from the environment instead.
  • Scan diffs too. When asking an AI to review a pull request, paste the diff rather than individual files — the scanner works equally well on diff output and flags any secret accidentally added in a recent change.

When to use this tool

Use it any time you are about to paste code into a third-party AI system, share a snippet publicly (GitHub, Stack Overflow), or hand off a repository to a contractor. It takes a few seconds and removes the risk of leaking credentials that can cost far more to remediate than they ever would have cost to avoid.