LockZero — Secret Vault for VS Code
Detects hardcoded API keys and credentials in your editor, warns you inline, and moves them to your LockZero vault with a single click — replacing the hardcoded value with a safe environment variable reference.
Aikido tells you there's a secret. LockZero fixes it — moves it out of your code.
Features
- Inline diagnostics — red underlines appear on hardcoded secrets the moment you type them
- One-click vault — CodeAction (
Ctrl+. / Cmd+.) sends the secret to LockZero and rewrites the line automatically
- Language-aware replacement — substitutes the right env var syntax per file type
- Privacy-first — detection runs entirely in your editor; values are only transmitted when you explicitly act
- Workspace scan — bulk scan every source file via the command palette
Installation
From VSIX (pre-marketplace)
# From the extension directory
npm run package # creates lockzero-0.1.0.vsix
code --install-extension lockzero-0.1.0.vsix
From VS Code Marketplace
Search "LockZero" in the Extensions panel (coming soon).
Configuration
1. Set your API key (secure)
Run LockZero: Set API Key from the command palette. The key is stored in VS Code's encrypted SecretStorage — never in settings.json.
2. Settings
| Setting |
Default |
Description |
lockzero.apiUrl |
https://api.lockzero.io |
LockZero API base URL |
lockzero.workspaceId |
— |
Your workspace ID (Dashboard → Settings) |
lockzero.enableGenericDetection |
false |
Also flag high-entropy strings without a known provider prefix (may produce false positives) |
Example settings.json:
{
"lockzero.apiUrl": "https://api.lockzero.io",
"lockzero.workspaceId": "ws_your_workspace_id"
}
Supported Providers
| Provider |
Pattern |
Confidence |
Env var suggestion |
| OpenAI |
sk-... / sk-proj-... |
High |
OPENAI_API_KEY |
| Anthropic |
sk-ant-... |
High |
ANTHROPIC_API_KEY |
| Stripe (live) |
sk_live_... |
High |
STRIPE_SECRET_KEY |
| Stripe (test) |
sk_test_... |
High |
STRIPE_TEST_KEY |
| GitHub PAT |
ghp_... / gho_... / ghs_... |
High |
GITHUB_TOKEN |
| GitHub fine-grained |
github_pat_... |
High |
GITHUB_TOKEN |
| AWS access key |
AKIA... |
High |
AWS_ACCESS_KEY_ID |
| Generic high-entropy |
32–100 char string literal |
Low |
SECRET_KEY |
Generic detection is opt-in via lockzero.enableGenericDetection.
Before / After
Before — src/config.ts:
const openai = new OpenAI({
apiKey: "sk-proj-abcdefghijklmnopqrstuvwxyz1234567890abcde",
});
After pressing Cmd+. → Move to LockZero vault (OpenAI API key):
const openai = new OpenAI({
apiKey: process.env.OPENAI_API_KEY,
});
The key is now stored securely in your LockZero vault and accessible via the dashboard. Add OPENAI_API_KEY to your .env file to restore runtime access.
Language support
The env var reference is adapted to each file type:
| File type |
Replacement |
.ts, .js, .tsx, .jsx |
process.env.VAR_NAME |
.py |
os.environ.get("VAR_NAME") |
.go |
os.Getenv("VAR_NAME") |
.rb |
ENV["VAR_NAME"] |
.php |
getenv("VAR_NAME") |
.sh, .bash |
$VAR_NAME |
Commands
| Command |
Description |
LockZero: Set API Key |
Store your API key securely in VS Code SecretStorage |
LockZero: Scan Workspace for Secrets |
Bulk-scan all source files and populate the Problems panel |
LockZero: Open Dashboard |
Open lockzero.io/dashboard in your browser |
Privacy model
- Detection is 100% local. The scanner runs regex patterns in-process — no code leaves your machine during detection.
- Values are only transmitted on explicit action. Clicking "Move to LockZero vault" is the sole trigger for any network call.
- Secret values are never logged. Vault API requests use HTTPS; the value is in the POST body only.
- No telemetry. The extension collects no analytics, crash reports, or usage data.
- File unchanged on API failure. If the vault request fails, the editor is not modified.
Development
cd packages/vscode-lockzero
npm install
npm run typecheck # TypeScript type-check (zero errors)
npm test # 29 unit tests for scanner logic
npm run build # Bundle to dist/extension.js (~10KB)
npm run watch # Incremental rebuild on change
npm run package # Create lockzero-x.x.x.vsix
License
MIT © LockZero
