Scan Secrets in Text — Pattern Detector

Scan pasted text for secret-like patterns (AWS keys, GitHub PATs, PEM keys, and more). Documented subset — not a gitleaks-class repo scanner.

Loading…
Secrets scan (paste)
Find secret-like patterns in pasted text. Fixed documented detector list — not a gitleaks equivalent.

Developer notes

• v1 detectors: pem_private_key, aws_access_key_id, github_pat, slack_token, generic_assignment, jwt_compact (opt-in), high_entropy_string (opt-in). • Redaction: first 4 + last 4 chars (full mask if length < 12). • validate-env (DevOps) mainly warns on secret-looking .env key names — complementary. • 512 KB limit.

Options

Severity floor
all = every hit; high = high-severity detectors only.
Entropy hints
Enables noisy entropy heuristics — off by default.
Include JWT
Detects compact JWT tokens (low severity). Prefer jwt-decode to read a JWT.

When teams pick this route

• Quick check of a paste before posting to a ticket. • Spot an obvious GitHub PAT or AWS access key. • Reduce noise with high-only severity floor.

Worked examples

Fake AKIA + ghp

Before

AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE GITHUB_TOKEN=ghp_TESTONLYabcdefghijklmnopqrstuv password=notarealsecret123

After (hits)

aws_access_key_id · AKIA…MPLE github_pat · ghp_…tuv

severityFloor=high

Before

password=notarealsecret123 AKIAIOSFODNN7EXAMPLE

After (hits)

Only aws_access_key_id (high); generic_assignment omitted

Related tools

For .env key-name warnings use validate-env. For a compact JWT: jwt-decode. Hub: security tools.

Scan secrets FAQ

Documented subset

When should I use validate-env?

validate-env validates .env structure and flags suspicious key names. scan-secrets looks for secret-like value patterns in any pasted text. An empty validate-env result is not the same signal as soft-empty here.

When should I use jwt-decode?

To read a JWT header/payload, use jwt-decode. This scanner’s includeJwt option is off by default to avoid false positives.

Is this a full repository secrets scanner?

No. It is a documented pattern subset for pasted text — not a repository walk or enterprise rule pack.

Which detectors are included?

pem_private_key, aws_access_key_id, github_pat, slack_token, generic_assignment; jwt_compact and high_entropy_string are opt-in.

More security tools in this cluster

Looking for converters, encoders, formatters, and minifiers in one place? Developer tools hub Open the curated developer tools catalogue.