🔍

Secret Scanner

Scan code for leaked API keys, tokens, passwords, and secrets with severity levels and partial masking.

secret scannerapi key detectorleaked credentials findercode secret finder
📁
Drop source file here
Supports common source & config files (max 50MB)

What is Secret Scanner?

Secret Scanner is a free, browser-based tool that scans your source code for accidentally leaked API keys, tokens, passwords, database connection strings, and other sensitive credentials. It uses pattern matching and Shannon entropy analysis to detect secrets across 17+ common patterns, assigns severity levels (Critical, High, Medium, Low), and partially masks findings so you can share reports safely. All processing runs entirely in your browser — no code is ever uploaded.

Common Use Cases

Pre-Commit Scanning

Paste code before committing to catch accidentally hardcoded secrets, API keys, or database credentials before they reach your repository.

Code Review

Quickly audit pull requests or code snippets for leaked tokens and passwords during the review process.

Security Audit

Scan configuration files, environment templates, and source code as part of a security audit to identify exposed credentials.

Open Source Contribution

Check your code for secrets before submitting to open source projects where credentials would be publicly visible.

How to Use This Tool

  1. Paste your source code into the text area, or drag and drop a source file onto the upload zone
  2. Click the "Scan for Secrets" button to analyze the code
  3. Review the summary bar showing total findings broken down by severity level
  4. Examine each finding in the results table — matches are partially masked for safety
  5. Click "Copy Report" to copy a text summary of all findings to your clipboard

Frequently Asked Questions

Is my code sent to any server?
No. All scanning runs entirely in your browser using JavaScript regex and entropy analysis. Your code never leaves your machine.
What types of secrets does it detect?
The scanner detects AWS keys, GitHub tokens, Slack tokens, Stripe keys, Google API keys, database URLs, JWTs, bearer tokens, private keys, hardcoded passwords, private IPs, and more. It also uses Shannon entropy analysis to flag high-entropy strings near sensitive keywords.
Why are matched values partially masked?
Matches show only the first 4 and last 4 characters with the middle replaced by ***. This lets you identify the secret without fully exposing it, making it safe to share scan reports.
Can it replace a dedicated secrets scanning tool like git-secrets or TruffleHog?
This tool is great for quick ad-hoc checks, but for comprehensive repository-wide scanning with git history analysis, dedicated CLI tools like git-secrets, TruffleHog, or GitHub secret scanning are recommended.

Related Tools

File Hash Checker

Learn More

Secret Scanner is a free online tool that requires no signup or installation. It works directly in your browser, keeping your data private and secure.