Skip to content
| Marketplace
Sign in
Visual Studio Code>Linters>LeakerLensNew to Visual Studio Code? Get it now.
LeakerLens

LeakerLens

Manolov

|
5 installs
| (0) | Free
Catch API keys, tokens, and secrets as you type — 100% locally. Nothing leaves your machine.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

LeakerLens — catch secrets before they leak

LeakerLens finds API keys, tokens, passwords, and .env secrets as you type and before you commit — with 100% of analysis running locally. Nothing ever leaves your machine. No account, no cloud, no telemetry of your code.

Completely free · local-only · 46 precision-first detectors · catches secrets as you type, in CI, and inside your AI coding agents · zero telemetry.

LeakerLens reaches around your whole workflow from one local engine — in the editor (squiggles, hovers, one-click fixes), on demand (Scan Workspace + a List · Tree · Map Findings panel), in the terminal and CI (the leakerlens CLI with JSON/SARIF output), inside your AI agents (an leakerlens mcp server), and before you commit (an opt-in git guard).

Why LeakerLens

  • Local-only, always. Detection never makes a network call. Your code and findings stay on your machine — that's the whole point.
  • Zero-config. Install it and it works. Sensible, quiet defaults; no setup wizard.
  • Fast. Scanning is debounced and runs off the typing hot path. It won't lag your editor.
  • Calm, not alarmist. Native theming, clear hovers, one-click fixes.

Features

  • Real-time inline detection — squiggles, overview-ruler marks, and teaching hovers.
  • One-click remediation: Ignore here, Mask value, Move to .env (via the lightbulb, the hover, or the panel).
  • A calm Findings panel grouping detections by severity — click to jump.
  • Secret Graph — see where each unique secret is referenced from across your workspace, two ways from one panel (List · Tree · Map): a Tree (Secret → File → Line, with counts and search) and an animated, force-directed Map — secrets as nodes (coloured by severity, sized by reference count) linked to the files they appear in; drag, hover, and click to jump.
  • Scan Workspace command for an on-demand sweep.
  • Opt-in git pre-commit guard that warns on staged secrets — or blocks the commit, if you turn on the leakerlens.commitBlocking setting.

Detected secret types

46 detectors and counting, all running locally:

  • Cloud & infra — AWS, Google/GCP, Azure Storage, DigitalOcean, Cloudflare, Heroku, Linode.
  • Source & CI — GitHub (classic + fine-grained), GitLab, npm, PyPI, Docker Hub, Terraform Cloud, Atlassian.
  • AI — OpenAI, Anthropic, Hugging Face, Replicate, Groq.
  • Payments — Stripe, Square, Shopify, PayPal / Braintree.
  • Comms & email — Slack (tokens + webhooks), SendGrid, Mailgun, Mailchimp, Discord webhooks, Telegram bots.
  • Observability — Sentry DSNs, New Relic, Datadog, Grafana, PagerDuty.
  • Datastores — Postgres / MySQL / MongoDB / Redis connection-string passwords, PlanetScale.
  • Generic — JWTs, PEM private keys, high-entropy assignments, and hardcoded .env-style values.

Detection patterns are partly adapted from gitleaks (MIT). Precision-first: placeholders, example/test files, and low-entropy matches are filtered out so the signal stays high.

Commands

Command What it does
LeakerLens: Scan Workspace for Secrets Sweep the whole workspace
LeakerLens: Show Findings Panel Reveal the panel
LeakerLens: Show Secret Graph Open the animated map of where each secret is referenced
LeakerLens: Set up agent guardrails Wire the scanner into your AI agents (MCP + AGENTS.md + git hook)
LeakerLens: Install Pre-commit Guard Add the opt-in git hook to this repo
LeakerLens: Remove Pre-commit Guard Remove it

Completely free

Everything in LeakerLens — real-time detection, all 46 detectors, one-click fixes, the Findings panel, the Secret Graph, the CLI, the MCP server, and the commit-blocking pre-commit guard — is free. No account, no license key, no upsell.

Privacy

LeakerLens performs no network requests and collects no telemetry of your code, secrets, or findings. Detection, the CLI, and the MCP server all run entirely on your machine.

Inline ignore

Add leakerlens:ignore anywhere on a line (e.g. // leakerlens:ignore) to suppress findings on that line. The Ignore here quick-fix does this for you.

Command-line scanner

LeakerLens bundles a headless CLI, so the same engine runs in your terminal and in CI. Run LeakerLens: Set up agent guardrails once and it provisions a stable copy of the CLI (surviving extension updates) and writes the exact, ready-to-copy invocation into your project's AGENTS.md:

node "<path-to-provisioned-cli>" scan src            # human-readable
node "<path-to-provisioned-cli>" scan src --json     # machine-readable JSON
node "<path-to-provisioned-cli>" scan src --sarif    # SARIF 2.1.0 (GitHub code scanning, CI)

The exit code is 0 when clean and 1 when secrets are found, so it cleanly gates a CI step or a pre-push check. It respects .gitignore and the same exclusions as the editor, and prints only masked previews — never the raw secret.

MCP server (for AI coding agents)

LeakerLens bundles a local MCP server so AI coding agents — Claude Code, Cursor, VS Code agent mode — can call the detection engine directly instead of parsing CLI text. It runs over stdio, entirely on your machine, with no network calls.

You don't configure it by hand: run LeakerLens: Set up agent guardrails and LeakerLens registers itself with the agents you pick, writing an entry like this into their MCP config (.mcp.json, .vscode/mcp.json, or .cursor/mcp.json):

{
  "mcpServers": {
    "leakerlens": {
      "command": "node",
      "args": ["<path-to-provisioned-mcp-server>"]
    }
  }
}

Three tools are exposed:

Tool What it does
scan_text Scan a snippet of code/text for secrets before writing it to disk.
scan_file Scan a single file on disk.
scan_workspace Sweep the workspace (or given paths), respecting .gitignore.

Each tool returns a short human summary and a structured { findings, summary } object, byte-for-byte consistent with the CLI's --json output. Privacy: results carry only a masked preview and a non-reversible fingerprint of each match — the raw secret is never returned, not even for scan_text where the agent supplied the text.

One-step setup

Run LeakerLens: Set up agent guardrails from the command palette and LeakerLens wires itself into your agents for you: it registers the MCP server (Claude Code, Cursor, VS Code), drops a short instruction block into AGENTS.md, and offers to install the pre-commit guard — no manual config editing.

License

LeakerLens is completely free to install and use. The code is proprietary (no redistribution) — see LICENSE. Detection patterns adapted from gitleaks (MIT) are credited in THIRD_PARTY_NOTICES.md, which ships with the extension.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft