Does my code leave my browser?

No. All pattern matching runs locally in your browser using JavaScript. Nothing is uploaded, logged, or sent to any server, which is exactly why it is safe to scan secrets here.

What kinds of secrets does it detect?

It flags common patterns including AWS keys, OpenAI and Anthropic keys, generic high-entropy tokens, private key blocks, passwords in connection strings, and assignments to variables named secret, token, password, or api_key.

Can it miss a secret?

Yes. Pattern-based scanners catch known shapes but cannot guarantee completeness, especially for custom or obfuscated secrets. Treat a clean result as a useful check, not a guarantee, and always rotate any credential you suspect was exposed.

Why scan before using an AI assistant?

Pasting code into a third-party AI tool can send secrets to that provider, where they may be logged or used to train models. Scanning first lets you strip credentials so you keep the helpful context without leaking the keys.

Does a finding mean the secret is compromised?

Not necessarily. A finding means the value looks like a secret and should not be shared externally. If it was already sent somewhere untrusted, rotate it immediately to be safe.

Code Secret Scanner — Gera Tools

Code secret scanner

Before you paste code into ChatGPT, Claude, Copilot Chat, or any other external assistant, it pays to check that you are not handing over live credentials. The code secret scanner matches your snippet against a library of patterns for API keys, private keys, passwords, tokens, and connection strings, and flags anything that looks sensitive — all without your code ever leaving the browser.

How it works

The scanner runs a set of regular expressions over each line of the text you paste. Some patterns are precise (an AWS access key ID, an OpenAI sk- key, a PEM private-key header); others are heuristic (a long high-entropy string, or an assignment to a variable whose name contains secret, password, token, or api_key). Every match is reported with the line number, the matched fragment, and a severity so you can quickly decide what to redact. Because everything is local JavaScript, scanning a file full of real secrets here is safe.

Tips and notes

Redact, do not just delete. Replace a secret with a placeholder like <REDACTED> so the AI still understands the code structure.
Rotate anything that already leaked. If a key was pasted somewhere untrusted, the only safe fix is to revoke and reissue it.
A clean scan is not a guarantee. Custom or obfuscated secrets can slip past pattern matching — review the code yourself too.
Prefer environment variables. The cleanest fix is to never hardcode the secret in the first place; reference it from the environment instead.