I Built a Secret Scanner That Checks Your Git History, Not Just Your Code

Most developers know they shouldn't commit API keys. Most secret scanners will catch an AWS key sitting in your current codebase. What they won't catch is the key you deleted three commits ago -- which is still fully recoverable by anyone who clones your repo and runs git log -p.

That gap is what I built leakscan to address.

The Problem With Current-State-Only Scanners

When you delete a secret from a file and commit, the removal is recorded in git history. But the original commit that introduced the secret is still there. Every clone of your repository carries that history. Anyone -- a future contributor, a malicious actor, a job applicant reviewing your public code -- can recover those secrets.

# This recovers secrets you "deleted" months ago

That gap is what I built leakscan to address.

The Problem With Current-State-Only Scanners

# This recovers secrets you "deleted" months ago

I Built a Secret Scanner That Checks Your Git History, Not Just Your Code

I Built a Secret Scanner That Checks Your Git History, Not Just Your Code

Related reading

A client-side secret scanner that physically can't exfiltrate your code (and…

Secret scanning for the agent era: verify the leak, then fix it

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

Your GitHub Actions Logs Are Leaking LLM Keys and Your SIEM Isn't Catching It

How I Built CodeFootprint: A Local File Change Tracker for Developers

How We Got a CISA GitHub Leak Taken Down in Under a Day

Related reading

A client-side secret scanner that physically can't exfiltrate your code (and…

Secret scanning for the agent era: verify the leak, then fix it

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

Your GitHub Actions Logs Are Leaking LLM Keys and Your SIEM Isn't Catching It

How I Built CodeFootprint: A Local File Change Tracker for Developers

How We Got a CISA GitHub Leak Taken Down in Under a Day