Paste source code, a config file, a .env, or a diff and scan it line by line for hardcoded secrets and API keys. It flags AWS keys, GitHub and Google tokens, Stripe and Slack keys, private key blocks, JWTs, webhook URLs, and long high entropy strings, then reports each one with a masked preview, a line number, a severity, and how to fix it.
A hardcoded secret is a credential written straight into a file: an API key in a config, a token in a script, a private key in a repo. Once it is committed it is effectively public to anyone who can read the history, and history is forever. This tool reads what you paste, splits it into lines, and matches each line against a set of provider patterns and heuristics, in the same spirit as command line scanners like gitleaks and trufflehog, except it runs entirely in your browser so the file never moves.
The strongest signals are credentials with a fixed, recognizable shape. The scanner matches AWS access key IDs (AKIA followed by twenty characters) and the long secret access keys that sit near them, GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_, and github_pat_), Google API keys (AIza...), Slack tokens (xoxb and friends), Stripe live keys (sk_live_, rk_live_, pk_live_), Twilio (SK...), SendGrid (SG.), Mailgun, npm and PyPI tokens, and Slack, Discord, or Telegram webhook URLs. It also catches private key PEM blocks and the private_key field inside a service account JSON. A match on one of these is high confidence, so most are graded critical or high.
Not every secret has a branded prefix. The scanner also flags a generic assignment when the name on the left looks sensitive, like password, secret, token, api_key, or access_key, and the value on the right is non trivial. Finally it computes the Shannon entropy of long tokens and flags the ones that look random, since a high entropy blob is often a key of a shape no pattern knows about. These last two are lower confidence by design and are graded medium or low, because a hash, a UUID, or a base64 asset can trip them.
Each finding carries a severity. A live cloud key or a private key is critical, because it hands an attacker direct access. A recognizable provider token is high. A generic secret looking assignment is medium. A high entropy string with no other signal is low, a lead to confirm rather than a confirmed leak. The count at the top is a fast signal, not a verdict: a clean result does not prove there are no secrets, because a custom token format can pass through unseen.
Heuristics cut both ways. The entropy and generic name rules will sometimes flag something harmless: a git commit hash, a UUID, a content hash, a public key, or a base64 encoded image are all high entropy yet not secret. Treat those findings as prompts to look, not as proof. The opposite gap matters more: a secret with an internal or unusual shape will not match any named pattern, so a clean report is not a guarantee. Real coverage comes from a scanner wired into your pipeline plus a habit of never committing secrets in the first place. The reasoning about which findings actually matter is the kind of judgement an AI security testing approach brings, rather than pattern matching alone.
If a finding is a genuine credential, treat it as already compromised and act in order:
For the wider set of credential and access mistakes attackers look for, see the access control writing and the web security glossary.