Skip to content

sealedkeys/scan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

@sealedkeys/scan

Blocks commits containing secrets. One command to install. Zero false positives on process.env.

npm install --save-dev @sealedkeys/scan
npx sealedkeys-scan install

That's it. Every commit in this repo is now checked before it goes anywhere.


What it catches

Secret type Example match
AWS Access Key AKIA••••••••MPLE
Stripe secret key sk_live_••••••••3456
GitHub token ghp_••••••••6789
SSH private key -----BEGIN RSA PRIVATE KEY-----
Google API key AIza••••••••••••
Slack webhook hooks.slack.com/services/T••••
Twilio key SK••••••••••••••
SendGrid key SG.••••••••••••
Database URL with password postgres://user:••••@host
Generic API key assignment api_key = "••••••••"
.pem / .key files blocked by extension
.env files blocked by filename

Safe values — process.env.API_KEY, os.environ.get(...), template literals — are allowlisted automatically.


What it looks like

🔴 SealedKeys Scan blocked this commit

  ✗ src/config.js (line 14)
    Stripe Secret Key: sk_l••••••••3456

  ✗ deploy/keys/id_rsa — blocked extension: .pem

2 issues found. Remove secrets before committing — store them in your vault instead.

  Store secrets securely: https://sealedkeys.com
  False positive? Add the path to .sealedkeysscanignore

The commit is blocked. Exit code 1.


Ignore false positives

Create .sealedkeysscanignore in your repo root:

# One path or pattern per line
tests/fixtures/
mocks/fake-credentials.js

Commands

npx sealedkeys-scan install     # Install pre-commit hook
npx sealedkeys-scan uninstall   # Remove the hook
npx sealedkeys-scan check       # Run manually on staged files
npx sealedkeys-scan --help

How it works

  1. Runs as a git pre-commit hook — before every git commit
  2. Gets staged files via git diff --cached --name-only
  3. Reads staged content via git show :<file> — checks exactly what's being committed, not your working directory
  4. Runs 18 regex patterns against each line
  5. Exits 1 (blocks commit) if anything is found

Zero network calls. Fully offline. Adds under 200ms to your commit.


Store secrets properly

SealedKeys Scan tells you when a secret is in the wrong place.
SealedKeys gives your team somewhere safe to put it instead.

Zero-knowledge vault for passwords, API keys and SSH keys. Scan is included free with every Pro plan.

sealedkeys.com


License

MIT

About

Git pre-commit hook that blocks secrets before they reach GitHub

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors