SecretSentinel

Real-time secret and credential leak detector for VS Code. Detects API keys, passwords, tokens and private keys before you commit.

The Problem

Every week, developers accidentally push API keys, database passwords, and private keys to GitHub. By the time you notice, bots have already scraped your credentials. SecretSentinel stops leaks at the source — your editor, before you ever commit.

Features

Real-Time Secret Detection

Scans your code as you type and highlights secrets instantly with color-coded severity underlines. Detects secrets from 60+ providers including AWS, Google, Azure, OpenAI, GitHub, Stripe, Slack, Twilio, SendGrid, MongoDB, PostgreSQL and many more.

Entropy-Based Detection

Uses Shannon entropy scoring to flag high-randomness strings that look like secrets — even if they don't match any known pattern.

const key = "x7Kp9#mQ2$nLvR8@wZqY"  // [HIGH ENTROPY] Possible secret detected

Severity Levels

Classifies every finding into 4 severity tiers:

Git History Scanner

Scans your last 100 commits and tells you exactly which commits introduced secrets, which files they are in, and how to purge them.

.env File Differ

Compares your .env and .env.example side by side and shows exactly which keys are missing — with a one-click option to auto-sync them.

One-Click .env.example Generator

Instantly generates a clean .env.example from your .env file with all values stripped and all keys preserved.

Input .env:

DATABASE_URL=postgresql://user:pass@localhost/mydb
API_KEY=supersecretkey123
JWT_SECRET=myjwtsecret
PORT=3000

Output .env.example:

DATABASE_URL=
API_KEY=
JWT_SECRET=
PORT=

Security Report Generator

After a workspace scan, generates a professional SECURITY-REPORT.md with every issue found — file paths, line numbers, severity levels and recommended remediation steps.

Git Staging Interceptor

Watches your git index in real time. The moment you stage a .env file, you get an immediate warning with a one-click option to unstage it.

.gitignore Guardian

When you open a .env file that is not in your .gitignore, SecretSentinel immediately warns you and offers to fix it with one click.

Commands

Open the Command Palette (Ctrl+Shift+P) and type SecretSentinel:

Suppress False Positives

Add secret-sentinel-ignore anywhere on a line to suppress warnings for that line:

const EXAMPLE_KEY = "sk-test-key-for-docs" // secret-sentinel-ignore

Custom Rules

Create .envguard.json in your project root to define your own secret patterns:

{
  "patterns": [
    { "label": "Internal API Key", "pattern": "MYCOMPANY_[A-Z0-9]{32}" },
    { "label": "Internal DB Token", "pattern": "dbtoken_[a-z0-9]{24}" }
  ]
}

Supported Secret Types

Cloud Providers: AWS, Google Cloud, Azure, DigitalOcean

AI / ML: OpenAI, Anthropic, Hugging Face

Version Control: GitHub tokens, npm tokens, Docker Hub

Payment: Stripe, PayPal, Braintree

Communication: Slack, Twilio, SendGrid, Mailgun, Mailchimp

Databases: PostgreSQL, MySQL, MongoDB, Redis, CockroachDB, PlanetScale, Supabase

Infrastructure: Heroku, Vercel, Cloudinary, Cloudflare, Firebase, Shopify

Cryptographic: RSA, EC, PGP, OpenSSH private keys, JWT tokens, Ethereum keys

Privacy

Runs 100% locally. Your code never leaves your machine. No telemetry, no cloud scanning, no data collection of any kind.

License

MIT