Hardcoded Secrets Scanner — Detect Credentials Before They Leak
Find hardcoded API keys, passwords, tokens, and credentials in your code before they reach Git. Detects AWS keys, API secrets, database passwords, and authentication tokens using pattern matching — all in your browser.
AI Code Security Scanner
Paste JavaScript or TypeScript code and scan for common security vulnerabilities. Detects hardcoded secrets, injection flaws, XSS, SSRF, prototype pollution, and more. 100% client-side — your code never leaves your browser.
The hardcoded secrets problem
Hardcoded credentials are the most common and most dangerous security vulnerability in source code. GitGuardian's 2025 report found over 12 million new secrets exposed in public GitHub repositories in a single year. Once a secret is committed to Git, it exists in the repository history forever — even if deleted from the current codebase. Leaked AWS keys can be exploited within minutes by automated scanners. This tool catches secrets before they enter version control.
What secrets this scanner detects
The scanner identifies: API keys with common naming patterns (api_key, apiKey, secret_key, client_secret), AWS access key IDs (AKIA prefix), authentication tokens (auth_token, access_token, bearer tokens), database passwords (password, passwd, DB_PASSWORD), private keys and client secrets, and hardcoded connection strings with embedded credentials. Each finding includes the exact line number and a recommendation to move the secret to environment variables.
Best practices for managing secrets
Never hardcode secrets in source code. Use environment variables (process.env.API_KEY), a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler), or a .env file that is listed in .gitignore. Add a pre-commit hook (git-secrets, detect-secrets) to catch leaked credentials automatically. Rotate any credential that has ever been committed to a repository, even if removed — it exists in Git history. Use this scanner as a quick check before committing.
Frequently Asked Questions
What types of secrets does this scanner detect?
The scanner detects API keys, secret keys, passwords, authentication tokens, AWS access key IDs (AKIA prefix), client secrets, database credentials, and any string assigned to variables with common credential naming patterns. It uses regex pattern matching to identify secrets regardless of the programming language.
Is this scanner safe for checking code with real secrets?
Yes. The scanner runs 100% in your browser — your code and any secrets it contains are never transmitted to any server. This is the safest way to check for hardcoded credentials online, because the detection tool itself does not create an exposure risk.
How do I fix hardcoded secrets in my code?
Replace hardcoded values with environment variable references (process.env.API_KEY in Node.js, os.environ in Python). Store actual values in a .env file excluded from Git via .gitignore, or use a secrets manager. If the secret was ever committed to Git, rotate it immediately — deletion from the current code does not remove it from Git history.
Related Inspect Tools
Kubernetes YAML Validator
Validate Kubernetes manifests for syntax, required fields, best practices, security, and resource limits
OpenAPI / Swagger Validator
Validate OpenAPI 3.x and Swagger 2.0 specs for structure, paths, schemas, security, and best practices
.env File Validator
Validate .env files for syntax errors, duplicate keys, security risks, and best practices — export .env.example templates
File Hash Calculator
Compute MD5, SHA-1, SHA-256, SHA-384, SHA-512 file hashes — drag and drop to verify integrity with checksum comparison