🐾 Keyhound — Secret & Auth Safety
Keyhound warns you the instant a weak JWT secret, hardcoded API key, private key, or unsafe TLS setting sneaks into your code — because nothing else does.
Most secret leaks don't happen because developers are careless. They happen because nothing warns them in the moment. Keyhound sits quietly in your editor and barks the second something dangerous appears — right on the line, as you type.
What it catches
- Weak, default, or empty secrets —
JWT_SECRET = "changeme", empty session secrets, placeholder values attackers try first.
- Hardcoded provider credentials — AWS, Google, GitHub, Slack, Stripe (live keys), npm, OpenAI, and private-key blocks.
- Dangerous fallbacks —
process.env.JWT_SECRET || "dev-secret" that silently becomes your real secret in production.
- Weak JWT signing —
jwt.sign(payload, "abc") that lets anyone forge valid tokens.
- Disabled TLS verification —
NODE_TLS_REJECT_UNAUTHORIZED=0, verify=False — open doors to man-in-the-middle attacks.
.env not in .gitignore — one click to fix before it gets committed.
Why it's different
- Live, in the moment. Squiggles appear as you type — not in a CI run 20 minutes later when it's already pushed.
- Low noise. Strong, random secrets are left alone. Keyhound flags what's actually risky, not everything that looks like a string.
- 100% local. Your code never leaves your machine. No account, no server, no telemetry.
Usage
Keyhound runs automatically. You can also:
- Keyhound: Scan Current File — re-scan the active file.
- Keyhound: Scan Workspace for Secrets — sweep the whole project; results land in the Problems panel.
Settings
| Setting |
Default |
Description |
keyhound.enableLiveScan |
true |
Scan files live as you open, edit, and save. |
keyhound.minSecretLength |
16 |
Secrets shorter than this are flagged as weak. |
Roadmap (Pro — coming soon)
The core scanner above is free, forever. A future Pro tier will add: git pre-commit hook, CI report export, custom organization rule packs, and team dashboards. No dates promised — it ships when it's genuinely good.
Keyhound keeps your secrets where they belong: out of your repo.
| |