npm version npm downloads License: MIT Node ≥14

Find accidentally-committed credentials in any source tree. Zero deps, fast, redacts by default.

$ secscan
[critical] github_pat_classic ghp_...(32 chars)...ibHy
 ./scripts/deploy.sh:14:11
[critical] aws_access_key AKIA...(12 chars)...MPLE
 ./.env.example:5:9
2 findings (2 critical)

You're about to commit. Your .env.example was supposed to have placeholders. Three minutes ago, in a hurry, you copy-pasted real values to test something and forgot to redact. The classic Friday-evening leak. secscan is a pre-commit guard that catches the high-confidence patterns (PATs, AWS keys, OpenAI keys, PEM blocks) and refuses the commit before the leak hits a remote.

npm install -g @v0idd0/secscan

# Scan current directory
secscan
# Scan a specific path
secscan ./src
# JSON output for CI / programmatic use
secscan --json | jq '.findings[] | select(.severity=="critical")'
# Show full secret value (DANGEROUS, for one-off triage)
secscan --no-redact ./broken-checkout
# List all detectors this build ships with
secscan --list-patterns

Patterns are tuned for high precision — we'd rather miss a weird custom format than yell about every base64 string in the codebase.

By default: .git, node_modules, dist, build, .venv, venv, .next, .nuxt, .svelte-kit, coverage, .cache, .idea, .vscode, target, .gradle, .mvn. Binary files (PNG/JPG/PDF/ZIP/MP3/etc.) are skipped automatically. Files larger than 5 MB are skipped (set a smaller limit by piping individual files).

If you operate at scale and want active credential verification (does this stripe key still work?), trufflehog is the right pick. For a fast pre-commit / pre-push gate that just needs to refuse obvious leaks, secscan is faster typing and faster running.

Will it catch a custom-format API key our backend issues? Probably not — we don't pattern-match on entropy alone (too many false positives). If you want your custom format covered, send a PR with a regex and a test fixture.

Why redact by default? Because the typical use case is "scan and tell me if there's a problem", not "show me the secret". When you need the secret to investigate (which char position got pasted?), --no-redact exists; we just don't make it the default.

False positive on sk-... short strings? OpenAI key pattern is ^sk- plus a known suffix substring (T3BlbkFJ) plus a length range. Short sk- strings (sk-test_... examples in test fixtures) don't match.

Pre-commit hook? See the snippet below.

# .git/hooks/pre-commit
#!/bin/bash
secscan --json . | jq -e '.count == 0' > /dev/null || {
 echo "secscan found credentials in your tree — fix before committing."
 secscan
 exit 1
}

Exit code is 1 if any findings, 0 if clean — wire it into pre-commit / CI directly.

import { scanPath, scanFile, PATTERNS } from '@v0idd0/secscan';
const findings = scanPath('./my-repo');
for (const f of findings) {
 if (f.severity === 'critical') alertOps(f);
}

This is one tool out of many — see from-the-studio.md for the full lineup of vøiddo products (other CLI tools, browser extensions, the studio's flagship products and games).

• @v0idd0/jsonyo — JSON swiss army knife, 18 commands, zero limits
• @v0idd0/envguard — stop shipping .env drift to staging
• @v0idd0/depcheck — find unused dependencies in one command
• @v0idd0/gitstats — git repo analytics, one command
• View all tools →

MIT.

Built by vøiddo — a small studio shipping AI-flavoured products, free dev tools, Chrome extensions and weird browser games.