Scan Secrets in Text — Pattern Detector
Scan pasted text for secret-like patterns (AWS keys, GitHub PATs, PEM keys, and more). Documented subset — not a gitleaks-class repo scanner.
Developer notes
• v1 detectors: pem_private_key, aws_access_key_id, github_pat, slack_token, generic_assignment, jwt_compact (opt-in), high_entropy_string (opt-in). • Redaction: first 4 + last 4 chars (full mask if length < 12). • validate-env (DevOps) mainly warns on secret-looking .env key names — complementary. • 512 KB limit.
Options
When teams pick this route
• Quick check of a paste before posting to a ticket. • Spot an obvious GitHub PAT or AWS access key. • Reduce noise with high-only severity floor.
Worked examples
Fake AKIA + ghp
Before
After (hits)
severityFloor=high
Before
After (hits)
Related tools
For .env key-name warnings use validate-env. For a compact JWT: jwt-decode. Hub: security tools.
Scan secrets FAQ
Documented subset
When should I use validate-env?
validate-env validates .env structure and flags suspicious key names. scan-secrets looks for secret-like value patterns in any pasted text. An empty validate-env result is not the same signal as soft-empty here.
When should I use jwt-decode?
To read a JWT header/payload, use jwt-decode. This scanner’s includeJwt option is off by default to avoid false positives.
Is this a full repository secrets scanner?
No. It is a documented pattern subset for pasted text — not a repository walk or enterprise rule pack.
Which detectors are included?
pem_private_key, aws_access_key_id, github_pat, slack_token, generic_assignment; jwt_compact and high_entropy_string are opt-in.
More security tools in this cluster
Looking for converters, encoders, formatters, and minifiers in one place? Developer tools hub Open the curated developer tools catalogue.