Repo Secret Scanner

Scan a public GitHub repository for exposed credentials — AWS keys, GitHub tokens, Slack tokens, Stripe keys, private keys, and more. Nothing is cloned; files are read directly via the GitHub API.

Limitations
  • Public repositories only — private repos are not supported.
  • Scans current file state only, not full git history. A secret committed and later removed will not be found.
  • Static regex and entropy analysis cannot catch secrets built at runtime, split across lines, or obfuscated before commit.
  • Scans are capped at 500 files and 1MB per file. Larger repos will show a partial scan warning.
  • "Low" severity entropy matches have a higher false-positive rate than pattern-matched findings — verify manually before rotating.