Secret Guardian
Catch leaked API keys, tokens, and secrets as you type — before they hit your commits, screenshots, or screen-shares.
Most secret scanners run in CI, after the leak is already in your git history. Secret Guardian runs live, in your editor, so you see and hide secrets the moment they appear.
Features (Free)
- 🔍 Live detection of 17+ secret types as you type — AWS, GitHub, GitLab, Google, Slack, Stripe, OpenAI, SendGrid, Twilio, npm, private keys, JWTs, credentials-in-URLs, and a generic high-entropy catch-all.
- 🙈 One-click masking — detected secrets are rendered transparent with a
🔒 secret hidden overlay, so they never show up in screenshots or live demos.
- 🟡 Problems panel integration — every finding appears as a diagnostic with severity (critical / high / medium) and rule id.
- 📁 Workspace scan — sweep the whole project on demand.
- 🤫 False-positive control — inline ignore comments (
// secret-guardian-ignore, gitleaks:allow, pragma: allowlist secret), per-rule disabling, and entropy tuning.
- 🛡️ 100% local — scanning happens entirely on your machine. No code, no secrets, nothing ever leaves your editor.
Features (Pro)
- 🧩 Custom rule packs — add your own org-specific detection rules from a JSON file.
- 📊 Audit reports — export an HTML report of every finding across the workspace (location + rule only, never the secret value).
- ⚙️ CI / pre-commit generators — produce ready-to-use GitHub Actions and pre-commit configs to enforce scanning in your pipeline.
Pro is unlocked with a license key. Until purchasing is live, Pro features remain locked.
Usage
- Just start typing — secrets are flagged and masked automatically.
- Command Palette (
Ctrl/Cmd+Shift+P):
- Secret Guardian: Scan Active File
- Secret Guardian: Scan Workspace for Secrets
- Secret Guardian: Toggle Secret Masking
- The status bar shows a live count; click it to toggle masking.
Settings
| Setting |
Default |
Description |
secretGuardian.enable |
true |
Enable live scanning. |
secretGuardian.maskSecrets |
true |
Visually mask detected secrets. |
secretGuardian.scanDelayMs |
400 |
Debounce delay after edits. |
secretGuardian.disabledRules |
[] |
Rule IDs to disable. |
secretGuardian.ignoreGlobs |
node_modules, dist, … |
Paths skipped in workspace scans. |
secretGuardian.entropyThreshold |
3.5 |
Sensitivity of the generic high-entropy rule. |
Privacy
Secret Guardian performs all analysis locally inside VS Code. It makes no network calls with your code or secrets. (License validation, when enabled, sends only the license key — never your code.)
License
MIT. See LICENSE.
| |
