API Shield
Real-time API key & secret leak detector for VS Code
Catch leaked credentials before they reach Git — 100% local, zero cloud dependencies.
Why API Shield?
You paste an API key into your code "just for testing" — then git push. Within minutes, automated bots have already harvested it.
API Shield eliminates this risk entirely. It scans your code in real-time, directly inside VS Code — no cloud, no APIs, no telemetry. Every keystroke is checked locally on your machine.
⚡ Key Features
🔴 Instant Inline Detection — Red squiggly underlines the moment you type an API key. No CI/CD wait.
🧠 4-Layer Scan Engine — Pre-filter → 30+ regex patterns → Shannon entropy analysis → false positive elimination.
📋 Secrets Panel — A dedicated sidebar showing all detected secrets organized by file, line, and type.
🚫 Pre-Commit Hook — Blocks git commit if secrets are staged. 30+ patterns, cross-platform.
🔒 .gitignore Guardian — Warns if .env, mcp.json, or other sensitive files are missing from .gitignore, with one-click fix.
💡 Quick Fix Actions — Lightbulb menu to whitelist a line or add a file to .gitignore instantly.
📊 Rich Tooltips — Severity badges (🔴 CRITICAL / 🟠 HIGH / 🟡 MEDIUM), provider name, and context-specific remediation tips.
📄 Security Reports — Export scan results as Markdown or JSON.
🔐 100% Private — No network calls, no telemetry, works fully offline.
🧠 How It Works
| Layer |
Purpose |
Speed |
| Layer 0 |
Skip build artifacts — .min.js, .map, .bundle.js |
⚡ Instant |
| Layer 1 |
Fast regex pre-filter — eliminates ~80% of lines |
⚡ Instant |
| Layer 2 |
30+ provider-specific regex patterns with context matching |
Fast |
| Layer 3 |
Shannon entropy analysis (≥ 4.5) — catches unknown secret formats |
Fast |
| Layer 4 |
False positive elimination — UUIDs, hex hashes, URLs, test data |
Fast |
🛡 Built-In Patterns
|
AI & LLM
- OpenAI (
sk-proj-)
- Anthropic (
sk-ant-)
- Google Gemini (
AIza)
- Deepseek, xAI, Perplexity
- Hugging Face (
hf_)
- Mistral, Cohere
|
Cloud
- AWS (
AKIA)
- Azure Client Secret
- DigitalOcean (
dop_v1_)
- Vercel, Netlify
|
Payment
- Stripe (
sk_live_)
- Razorpay, Square
- PayPal, Paddle
|
|
Communication
- Slack (
xoxb-, xoxp-)
- Twilio, SendGrid
- Discord, Telegram
|
Dev Tools
- GitHub PAT (
ghp_)
- GitLab (
glpat-)
- npm (
npm_)
|
Databases
- PostgreSQL, MySQL
- MongoDB, Redis
- Firebase Config
|
|
Private Keys — RSA, DSA, EC, OpenSSH, PKCS8, PGP
|
📋 Secrets Panel
A sidebar TreeView organized as File → Line → Secret Type. Click any item to jump directly to the code.
🚫 Pre-Commit Hook
Blocks git commit when secrets are staged. Severity-grouped output with actionable fix instructions.
🛡️ API Shield: Scanning staged files for secrets...
❌ API Shield blocked your commit!
═══════════════════════════════════════
🔴 2 CRITICAL secrets:
AWS Secret Access Key → config.json:14
Stripe Live Secret Key → payment.ts:8
🟠 1 HIGH secret:
GitHub PAT (classic) → deploy.sh:3
═══════════════════════════════════════
Fix: Remove secrets or move to .env + .gitignore
Override: git commit --no-verify
📦 Installation
git clone https://github.com/abdussamadarefi/apishield.git
cd apishield
npm install
npm run compile
🎮 Commands
Access via Ctrl+Shift+P (or Cmd+Shift+P on macOS):
| Command |
Description |
API Shield: Scan Workspace |
Full background scan of all files |
API Shield: Scan Current File |
Scan the active editor |
API Shield: Scan Git History |
Deep scan across all Git commits |
API Shield: Show Secrets Panel |
Open the sidebar TreeView |
API Shield: Export Security Report |
Generate Markdown or JSON report |
API Shield: Install Pre-commit Hook |
Set up the Git hook |
API Shield: Uninstall Pre-commit Hook |
Remove the Git hook |
API Shield: Add to .gitignore |
Add current file to .gitignore |
API Shield: Whitelist Current Line |
Insert disable-next-line comment |
API Shield: Clear All Whitelisted |
Remove all whitelist comments in file |
API Shield: Toggle Extension |
Enable / disable without uninstalling |
⚙️ Configuration
Add to .vscode/settings.json:
{
// Core
"apishield.enabled": true,
"apishield.severity.minimum": "high", // "critical" | "high" | "medium" | "all"
// Scanning
"apishield.scanOnOpen": true,
"apishield.scanOnType": true, // 300ms debounce
"apishield.scanOnSave": true,
// Pre-commit Hook
"apishield.precommitHook.enabled": true,
"apishield.precommitHook.blockCommit": true, // false = warn only
// .gitignore Guardian
"apishield.gitignoreCheck.enabled": true,
"apishield.gitignoreCheck.autoSuggest": true,
// Display
"apishield.showStatusBar": true,
"apishield.showInlineDecorations": true,
"apishield.maxFileSize": 5, // MB
// Custom Patterns
"apishield.customPatterns": [
{
"name": "Internal Auth Token",
"pattern": "INT-AUTH-[A-Z0-9]{32}",
"severity": "critical"
}
],
// Ignore false positives
"apishield.allowedPatterns": []
}
🙈 Handling False Positives
Inline Whitelisting
// apishield-disable-next-line
const TEST_KEY = "sk-proj-thisisnotarealkey1234567890abcdef";
Global Ignore File
Create .apishieldignore in your project root (.gitignore syntax):
test/**
fixtures/**
__mocks__/**
Allowed Patterns
Add regex patterns to apishield.allowedPatterns in settings to suppress specific matches globally.
🏗 Project Structure
API Shield
├── engine/
│ ├── scanner.ts # 4-layer scanning core
│ ├── patterns.ts # 30+ detection patterns
│ └── entropy.ts # Shannon entropy calculator
├── providers/
│ ├── diagnostics.ts # Tooltips + Code Actions
│ └── secretsTreeProvider.ts # Sidebar TreeView
├── features/
│ ├── gitignoreGuardian.ts # .gitignore safety checks
│ ├── gitHistoryScanner.ts # Git log deep scan
│ └── reportExporter.ts # Security report generator
├── hooks/
│ └── precommitInstaller.ts # Pre-commit hook manager
└── scripts/
└── precommit-hook.js # Standalone hook scanner
📄 License
MIT © abdussamadarefi
Built with ❤️ to keep your secrets safe.
Stop leaked keys. Ship with confidence.
