secscan.
find committed credentials before someone else does.
scans any source tree for github pats, aws keys, stripe / openai / anthropic / slack tokens, jwts, pem private keys. zero dependencies, redacts by default, exits 1 on findings — drop into a pre-commit hook in two lines.
npm i -g @v0idd0/secscan
22 detectors. one exit code.
patterns are tuned for high precision — we'd rather miss a weird custom format than yell about every base64 string in your codebase. each finding ships with file:line:col, severity bucket, and a redacted preview so logs stay safe to share.
scan a repo
./scripts/deploy.sh:14:11
[critical] aws_access_key
./.env.example:5:9
2 findings (2 critical)
json for ci
file: "./.env.example",
line: 5,
col: 9,
kind: "aws_access_key",
severity: "critical",
preview: "AKIA...(12)...MPLE"
}
list every detector
critical github_pat_fine
critical aws_access_key
critical stripe_live
critical openai_key
critical anthropic_key
...
quiet on clean trees
$ echo $?
0
three places it earns its keep.
npm
$ npm i -g @v0idd0/secscan
node 14+ on linux / macos / windows. zero runtime deps. updates with npm update -g.
pre-commit hook
$ secscan --json . | \
jq -e '.count == 0' > /dev/null \
|| (secscan; exit 1)
drop into .git/hooks/pre-commit. blocks the commit, prints findings, exits 1.
ci step
$ npx -y @v0idd0/secscan
no install needed in ci — npx -y runs it once. exit code 1 fails the job. full ci recipe →
we leaked our own pat in a local checkout on this very vps. nobody noticed for months. then we wrote secscan and ran it on the studio — it caught seven more.
no telemetry. no signup. no “upgrade for the enterprise rule pack.” mit forever, even if vøiddo dies tomorrow — the source is public and the npm package is yours to fork.