SecretGuard

It's way too easy to leave a secret in your code. You paste an API key "just to test it," an AI assistant inlines a real-looking token, or a password slips into a config file. The trouble is that once a secret is committed, it's already compromised — deleting it later doesn't help, because it lives on in your git history.

SecretGuard watches for hardcoded secrets while you work and flags them before they ever reach a commit. It scans when you open a file and every time you save.

What it catches

Known credentials (flagged as errors): AWS keys, GitHub and GitLab tokens, OpenAI and Anthropic API keys, Stripe keys, Google API keys and OAuth secrets, Slack tokens and webhooks, SendGrid, Twilio, npm tokens, private key blocks, and JWTs.

Anything that looks like a secret (flagged as warnings): any value assigned to a secret-ish name such as apiKey, password, token, secret, or clientSecret. SecretGuard is intentionally aggressive here — it would rather flag something you can quickly dismiss than miss a real key. Obvious placeholders like YOUR_API_KEY, process.env.X, <your-key>, and ******** are left alone.

Secret values are always shown truncated (like sk-a…2f), so the extension never prints your full key back at you.

How to use it

There's nothing to set up. Open any code or config file and SecretGuard scans it automatically. Findings appear as underlines in the editor and in the Problems panel (Ctrl+Shift+M / Cmd+Shift+M).

To scan on demand, open the Command Palette (Ctrl+Shift+P) and run:

• SecretGuard: Scan Current File
• SecretGuard: Scan Entire Workspace

Got a false positive?

Add a comment containing secretguard-ignore on the same line and SecretGuard will skip it:

const sample = "AKIAIOSFODNN7EXAMPLE"; // secretguard-ignore (docs example)

Settings

• secretguard.enableOnSave — scan automatically on save (on by default).
• secretguard.scanGenericAssignments — also flag any secret-looking assignment, not just the known provider formats (on by default). Turn it off if you only want high-confidence credentials flagged.

Support

If SecretGuard saved you from a security breach, consider giving it a ⭐ on GitHub and a review on the VS Code Marketplace!

License

Proprietary — all rights reserved. See LICENSE.