SecretScanner — Catch Leaked Secrets Before They Hit Git
Scan your code for accidentally committed API keys, tokens, passwords, and connection strings. Inline warnings as you code. 30+ patterns free, 200+ with Pro.
Why SecretScanner?
Accidentally committed secrets are the #1 cause of cloud account takeovers. GitHub will email you when it detects a secret in a push — but by then it's already in your history, already indexed, and already potentially scraped.
SecretScanner catches them before the commit.
Features
Free — 30 Critical Patterns
- Scan on save — automatically scans every file you save
- Inline diagnostics — red/yellow squiggles directly on the secret line
- Scan current file — manual scan with one command
- Scan workspace — scan all files in the project
- Detects: AWS keys, GitHub tokens, Stripe keys, OpenAI keys, Google API keys, Slack tokens, Twilio, SendGrid, JWT secrets, database connection strings, SSH/RSA private keys, and more
- Git history scan — scan every commit ever made in the repo for leaked secrets
- Remediation guide — step-by-step instructions for rotating each type of secret
- 200+ patterns — Azure, GCP, Shopify, Discord, Telegram, PayPal, Square, Cloudflare, Netlify, Vercel, Mapbox, and more
- Custom patterns (roadmap) — define your own secret patterns
Getting Started
- Install the extension — scanning activates automatically on file save
- Open Command Palette →
SecretScanner: Scan Current File for an immediate scan
- Check the Problems panel (
Cmd+Shift+M) for all detected secrets
Commands
| Command |
Description |
Tier |
SecretScanner: Scan Current File |
Scan the open file |
Free |
SecretScanner: Scan Entire Workspace |
Scan all project files |
Free |
SecretScanner: Scan Full Git History |
Scan all commits |
Pro |
SecretScanner: Show Remediation Guide |
How to rotate each secret type |
Pro |
Severity Levels
| Level |
Examples |
| 🔴 Critical |
AWS keys, database passwords, private keys, Stripe live keys |
| 🟡 High |
GitHub tokens, Slack tokens, Google API keys, Twilio SIDs |
| 🔵 Medium |
Generic secret assignments, hardcoded IPs, long base64 strings |
Pro License
Get a Pro license at marketplace.dashovia.com/extensions/secret-scanner
- Open VSCode Settings → search
secretscanner.licenseKey
- Paste your license key → Pro activates instantly on up to 3 devices
Privacy
SecretScanner runs entirely locally. No file contents are ever sent to any server. License validation only sends a hashed machine ID and your license key.
Feedback & Issues
Part of the DevExtend suite — VSCode extensions built for real developer problems.
| |
