Coverage
A fast public pass across secrets, risky files, code smells, and repo hygiene.
The scanner is a lightweight first look. It helps you decide whether a repository needs key rotation, cleanup, or a deeper review.
Leaked provider keys
Checks common provider shapes across AI, cloud, payments, email, databases, observability, developer tools, and SaaS APIs.
- OpenAI, Anthropic, Google AI, xAI, Groq.
- AWS, Google Cloud, Supabase, Neon.
- Stripe, SendGrid, Resend, GitHub, npm.
Git history
Recent commits are checked so a key removed from the current tree does not hide in old snapshots.
- Up to 50 recent commits.
- Commit links for review.
- Masked values in results.
Risky files
Flags files that often contain secrets even when no provider token shape is detected.
.envfiles and backups.- Private keys and PEM files.
- Cloud credential folders and service account JSON.
Repo hygiene
Looks for simple guardrails that help teams handle future security reports and accidental leaks.
.gitignore,README.md, andSECURITY.md.- Unsafe code patterns worth a human look.
- Follow-up recommendations after the scan.
Results
Scan output appears here.
Start with a public repository above. Large repositories can take 20-30 seconds depending on file count and GitHub response time.
Starting scan...
0%Large repos can take 20-30 seconds.
Scan failed
No exposed keys found.
This repo looks clean from the public scan. Keep your production provider keys behind VaultProof too.
Protect production keysAfter findings
Finding a key means rotate first, then clean up.
A public scan cannot tell whether a provider key is still active. Treat exposed secrets as sensitive and use provider-side rotation before relying on repository cleanup.
-
1
Rotate the provider key
Open the provider dashboard, create a replacement key, update production, then revoke the exposed key.
-
2
Remove raw keys from app env
Run
vaultproof-initso the app uses VaultProof-managed values instead of keeping provider keys in plaintext configuration. -
3
Review history and access
Check recent commits, CI logs, hosting settings, and collaborators to understand where the key may have been exposed.
FAQ
What the scanner can and cannot promise.
Does the scanner prove a repo is safe?
No. It is a public, limited pass over common patterns. Use it as a signal, then pair it with provider rotation, code review, and stronger runtime controls.
Does VaultProof store scanned repo contents?
The public scanner returns findings and operational metadata needed to complete the scan. Do not paste private repositories or sensitive data into the public scanner.
What if my provider is not detected?
Use the docs and hosted init to protect common providers. For internal or custom APIs, run vaultproof-init custom and configure the upstream URL and header format.