Code secret scanner
Before you paste code into ChatGPT, Claude, Copilot Chat, or any other external assistant, it pays to check that you are not handing over live credentials. The code secret scanner matches your snippet against a library of patterns for API keys, private keys, passwords, tokens, and connection strings, and flags anything that looks sensitive — all without your code ever leaving the browser.
How it works
The scanner runs a set of regular expressions over each line of the text you
paste. Some patterns are precise (an AWS access key ID, an OpenAI sk- key, a
PEM private-key header); others are heuristic (a long high-entropy string, or an
assignment to a variable whose name contains secret, password, token, or
api_key). Every match is reported with the line number, the matched fragment,
and a severity so you can quickly decide what to redact. Because everything is
local JavaScript, scanning a file full of real secrets here is safe.
What it detects
| Pattern type | Examples |
|---|---|
| Cloud provider keys | AWS access key IDs, GCP service-account JSON fragments |
| AI / API tokens | OpenAI sk- keys, Anthropic keys, GitHub Personal Access Tokens |
| Private key blocks | PEM headers such as BEGIN RSA PRIVATE KEY |
| Connection strings | Database URLs containing passwords, SMTP credentials |
| Generic high-entropy strings | Long alphanumeric values assigned to sensitive variable names |
| Environment variable names | Variables named password, secret, token, api_key |
Precise patterns are flagged as HIGH severity; heuristic matches are MEDIUM so you can judge context yourself.
A common scenario
You are debugging a backend service and want to ask an AI assistant why a database query is slow. You paste the entire service file — and buried on line 87 is:
const db = new Client({ connectionString: "postgres://admin:[email protected]/app" });
The scanner catches the connection string, highlights line 87, and suggests replacing the credential with a placeholder before pasting. The AI still gets all the context it needs; your production database stays safe.
Tips and notes
- Redact, do not just delete. Replace a secret with a placeholder like
<REDACTED>so the AI still understands the code structure. - Rotate anything that already leaked. If a key was pasted somewhere untrusted, the only safe fix is to revoke and reissue it.
- A clean scan is not a guarantee. Custom or obfuscated secrets can slip past pattern matching — review the code yourself too.
- Prefer environment variables. The cleanest fix is to never hardcode the secret in the first place; reference it from the environment instead.
- Scan diffs too. When asking an AI to review a pull request, paste the diff rather than individual files — the scanner works equally well on diff output and flags any secret accidentally added in a recent change.
When to use this tool
Use it any time you are about to paste code into a third-party AI system, share a snippet publicly (GitHub, Stack Overflow), or hand off a repository to a contractor. It takes a few seconds and removes the risk of leaking credentials that can cost far more to remediate than they ever would have cost to avoid.