Secret Scanner
Secret Scanner is a powerful VS Code extension that detects API keys, tokens, and other secrets in your codebase to prevent accidental leaks.
Features
- Detects hardcoded secrets (API keys, tokens, credentials)
- Real-time scanning on file save or startup
- Context menu support in Explorer and Editor
- Custom external scanner binary support
- Automatic binary installation (Linux/macOS only)
- Smart binary fallback: Global → Local → Auto-download
- SHA256 integrity verification for secure downloads
- Visual progress feedback during scans
- Cross-platform support (Linux and macOS)
- Seamless experience — no manual setup required on supported systems
❗ Note: Currently supported only on Linux and macOS. Prebuilt binaries are provided for these platforms. Windows is not yet supported.
Configuration
Customize the extension from VS Code settings:
Setting |
Description |
Default |
secret-scanner.autoScanOnSave |
Automatically scan when a file is saved |
false |
secret-scanner.scanOnStartup |
Scan all files on startup |
false |
secret-scanner.showNotifications |
Show scan result popups |
true |
secret-scanner.customScannerPath |
Path to custom scanner binary |
"" |
Commands
Use the Command Palette (Ctrl+Shift+P
) or right-click in the Explorer/Editor:
Secret Scanner: Scan for Secrets
Secret Scanner: Scan Workspace for Secrets
Secret Scanner: Clear Scan Results
📦 Binary Setup
The extension uses a native C++ binary to scan files efficiently.
- Linux and macOS (automatic download supported)
- Windows not supported yet
Manual Installation (Windows)
Note: Currently, Windows is not supported for automatic binary setup.
To use Secret Scanner on Windows, you’ll need to set it up manually by building the scanner locally.
Steps:
Clone the project:
git clone https://github.com/drona-gyawali/secret-scanner.git
Follow the build instructions provided in the repo's README to compile the scanner binary for Windows.
Once built, locate the output file (e.g., secret_scanner.exe
).
Move it to a preferred location (e.g., C:\Tools\SecretScanner
).
In VS Code settings, configure the path:
secret-scanner.customScannerPath = "C:\\Tools\\SecretScanner\\secret_scanner.exe"
Restart VS Code.
You can find full instructions and the source code at:
secret-scanner
How it Works
Smart detection order:
- Uses globally installed binary (e.g., in
~/.local/bin
)
- Falls back to local workspace binary
- Automatically downloads from GitHub releases if needed
Security
- Verifies the binary using SHA256 hash
No Manual Setup
- If a supported OS is detected, everything is handled automatically
Manual Download
If you'd prefer or need to install the binary manually, download the latest prebuilt version from the GitHub Releases Page.
To build it yourself, follow these instructions.
Screenshots
Trigger scan from sidebar

Terminal with scan results

Editor highlighting

🤝 Connect with Us
