What types of secrets does the scanner detect?

The scanner detects more than 50 secret types including AWS access keys, GCP service account JSON, Azure storage keys, GitHub personal access tokens, Stripe secret and webhook keys, Slack bot tokens, Discord tokens, SendGrid API keys, OpenAI and Anthropic API keys, Hugging Face tokens, DigitalOcean tokens, NPM access tokens, RSA and EC private keys, OpenSSH private keys, PGP private keys, JWT tokens, database connection strings with embedded credentials, and generic password and API key assignments.

Is my text sent to a server?

No. All scanning is performed entirely in your browser using JavaScript regex patterns. Nothing you paste is transmitted to any server. This makes the tool safe to use with real credentials you are trying to identify and rotate.

What should I do if the scanner finds a real secret?

Rotate the credential immediately in the service dashboard — generate a new key and invalidate the old one. Treat the exposed credential as compromised regardless of whether you see evidence of unauthorized access. Then remove it from the source file, replace it with an environment variable, and check whether the file was committed to git. If it was, you must purge the git history because deleting the file does not remove the secret from past commits.

How do I remove a secret from git history?

Use git filter-repo or BFG Repo Cleaner to rewrite history and remove all commits that contained the file or the specific string. After rewriting, you will need to force-push to the remote and ask all collaborators to re-clone or rebase. Notify your git hosting platform — GitHub, GitLab, and Bitbucket all have secret scanning that may have already captured and alerted on the leaked credential.

Why do some findings say they may be a false positive?

Generic patterns that look for password = ... or api_key = ... match a broad range of strings including example values, comments, and placeholder text. These patterns are included because they catch real leaks in config files, but they also produce false matches. The scanner marks them with a high false positive risk warning so you can review them with more scrutiny. Specific patterns like AKIA... for AWS or ghp_... for GitHub are unique to those services and rarely produce false positives.

Does this catch secrets in environment variable files?

Yes. The scanner works on any plain text including .env files, Docker Compose YAML, Kubernetes secrets YAML, GitHub Actions workflow files, shell scripts, and any other format where credentials might appear as plain text key-value pairs.

What is the difference between Critical, High, and Medium severity?

Critical means the exposed credential grants full or near-full access to an account or system, such as an AWS secret access key, a database connection string with admin credentials, or an RSA private key. High means significant access is granted but the scope is more limited or the credential is one component of a two-part authentication pair. Medium means the exposure may not be immediately exploitable but still represents a security risk, such as a JWT token that may have expired or a generic password assignment that could be a real credential.

How do I prevent secrets from being committed in the first place?

Use a pre-commit hook tool like pre-commit with the detect-secrets plugin, or use git-secrets from AWS Labs. Add all .env files and credential files to .gitignore. Use a secrets manager such as AWS Secrets Manager, HashiCorp Vault, or Doppler instead of environment variable files. Enable secret scanning on your git host — GitHub, GitLab, and Bitbucket all offer automated scanning that alerts you when a known secret pattern is pushed.

Can the scanner detect secrets in minified or obfuscated code?

The scanner matches regex patterns against raw text, so it can detect secrets in minified JavaScript or other formats as long as the secret value itself is not transformed. Base64-encoded or otherwise obfuscated secrets will not be detected unless the encoding itself is included in the scan (for example, a JWT is base64url-encoded but the tool still matches the eyJ prefix that all JWTs share).

Does the tool show me the actual secret value?

No, by default the scanner shows only a redacted preview of each matched string with the first and last few characters visible and the rest replaced with ellipsis. You can click Show redacted match on each finding to see this partial view. The full secret is never displayed. Since all processing is local, you can see the full match in context by looking at the line number in your original pasted text.

Loading tool...

How to Use Secret and Credential Scanner

How to Use the Secret and Credential Scanner

Step 1: Paste Your Text

Paste any text into the scanner: environment variable files, Docker Compose configs, CI/CD pipeline definitions, code snippets, log output, or any other text that might contain credentials. You can also click an example preset to test with sample secrets.

Step 2: Review the Results

The scanner checks your input against more than 50 regex patterns in real time. Results are grouped by severity:

Severity	Meaning	Example
Critical	Immediate risk — rotate now	AWS access key, Stripe secret key, RSA private key
High	Significant risk — rotate soon	GitHub PAT, Slack bot token, Twilio SID
Medium	Review carefully	JWT token, bearer token in header, generic password assignment

Each finding shows the secret type, the line number it was found on, and a redacted preview (click Show redacted match to reveal the first and last few characters).

Step 3: Rotate and Remove

If the scanner finds real credentials:

Rotate them immediately in the relevant service dashboard — treat them as compromised regardless of whether they were actually accessed.
Remove or replace them with environment variable references such as process.env.STRIPE_SECRET_KEY.
If the file was committed to git, delete is not enough — the secret remains in git history. Use git filter-repo or BFG Repo Cleaner to purge the history, then force-push.
Review access logs in the affected service for unauthorized use.

Secret Categories Detected

Category	Examples
Cloud	AWS access keys, GCP service accounts, Azure connection strings
Version Control	GitHub PATs, GitLab tokens
Payment	Stripe, Square, Braintree, Shopify
Communication	Slack, Discord, Telegram, SendGrid, Mailgun, Twilio
AI / ML	OpenAI, Anthropic, Hugging Face
Infrastructure	DigitalOcean, NPM, Databricks
Cryptographic Keys	RSA, EC, OpenSSH, PGP private keys
Auth Tokens	JWT, Bearer tokens, Basic auth in URLs
Database	MongoDB, PostgreSQL, MySQL, Redis connection strings
Generic	Password assignments, API key assignments (higher false positive rate)

About False Positives

Generic patterns such as password = ... or api_key = ... have a higher false positive rate because they match configuration examples and placeholder values. The scanner marks these findings with a note. Specific patterns such as AKIA... for AWS or ghp_... for GitHub have very low false positive rates because the prefix is unique to that service.

Frequently Asked Questions

Most Viewed Tools

🔐

TOTP Code Generator

2,924 views

Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.

Secret and Credential Scanner

How to Use Secret and Credential Scanner

How to Use the Secret and Credential Scanner

Step 1: Paste Your Text

Step 2: Review the Results

Step 3: Rotate and Remove

Secret Categories Detected

About False Positives

Frequently Asked Questions

What types of secrets does the scanner detect?

Is my text sent to a server?

What should I do if the scanner finds a real secret?

How do I remove a secret from git history?

Why do some findings say they may be a false positive?

Does this catch secrets in environment variable files?

What is the difference between Critical, High, and Medium severity?

How do I prevent secrets from being committed in the first place?

Can the scanner detect secrets in minified or obfuscated code?

Does the tool show me the actual secret value?

Most Viewed Tools

TOTP Code Generator

Password Entropy Calculator

Content Security Policy Generator

Screen Size Converter

API Key Hasher

SSH Key Generator

PGP Key Generator

DPI Calculator

Related Privacy & Security Tools

API Key Hasher

PGP Key Generator

TOTP Code Generator

OAuth 2.0 Scope Builder

Password Entropy Calculator

Content Security Policy Generator

SSH Key Generator

PIN Generator

Share Your Feedback