API Secret Scanner & Redactor
指导
API Secret Scanner & Redactor
The API Secret Scanner & Redactor finds hardcoded credentials in code, configuration files, and logs, then rewrites them so the text is safe to share. Paste a snippet and it instantly highlights AWS keys, GitHub and GitLab tokens, Stripe and Square keys, JSON Web Tokens, private key blocks, database connection strings, and generic key, secret, and password assignments. Everything runs locally in your browser, so the text you scan never leaves your machine.
如何使用
- Paste your code, config, or log output into the input box, or drop in a text file.
- Review the findings list, which shows each detected secret with its type, confidence level, and line number.
- Choose a redaction style: a labeled placeholder, full asterisks, or a partial reveal that keeps the first and last few characters.
- Untick any secret type you want to leave untouched, then copy or download the redacted output.
特征
- Broad detection – Recognizes 20+ secret formats using a gitleaks-inspired regular expression library.
- Color-coded findings – Groups matches by category with a confidence label and the line where each was found.
- Redact all or by type – Toggle individual secret types on or off before generating the redacted output.
- Flexible redaction – Replace secrets with a labeled placeholder, asterisks, or a partial reveal.
- 完全客户端 – All scanning happens in your browser; nothing is uploaded.
常问问题
-
What makes a string look like a secret to a scanner?
Most credentials follow recognizable shapes: a fixed prefix (such as AKIA, ghp_, sk_live_), a known length, and a restricted character set like base62 or hexadecimal. Pattern-based scanners encode these shapes as regular expressions, and many also weigh the surrounding context, like an assignment to a variable named api_key or password.
-
Why are private keys and JWTs detected by structure rather than keywords?
A PEM private key is wrapped in explicit BEGIN and END markers, and a JSON Web Token is three base64url segments separated by dots that decode to a header and payload. These structural fingerprints are distinctive enough to match directly, without relying on a nearby label.
-
What is the difference between high and low confidence matches?
High-confidence matches use a vendor-specific prefix and length that rarely occur by accident, so a hit almost certainly is a real key. Low-confidence matches, such as a generic value assigned to a field named token, can also catch ordinary strings, so they are flagged for review rather than treated as certain leaks.
-
Why should secret detection run locally instead of being sent to a server?
The text being scanned may itself contain live credentials. Sending it to a remote service would expose those secrets to another system and any logs along the way. Performing the regex matching entirely in the browser keeps the sensitive input on the user's own machine.
