Browser-based secret scanner that runs 100% locally. Detect hardcoded API keys, tokens, and credentials in your code without sending data anywhere.
- π 100% Private: All scanning happens in your browser - your code never leaves your machine
- β‘ Lightning Fast: Built with Web Workers for non-blocking, parallel scanning
- π― Accurate Detection: Uses proven patterns to detect 250+ secret types
- π Multi-File Support: Scan individual files or entire project directories
- π¨ Beautiful UI: Modern, responsive design with dark mode support
- π Detailed Reports: Export results as JSON, Markdown, or CSV
- π§ Developer-Friendly: No installation, no CLI, just open and scan
- β Detect AWS keys, Google API keys, GitHub tokens, database credentials, and 250+ more secret types
- β Real-time scanning with progress indicators
- β Severity-based filtering (Critical, High, Medium, Low)
- β File tree visualization showing which files contain secrets
- β Syntax-highlighted code snippets showing exact leak locations
- β No data transmission - everything runs client-side
- β No backend - pure frontend application
- β No tracking - your code is your business
- β Open-source and auditable
- β Drag & drop file upload
- β Paste code directly
- β Filter results by severity
- β Export reports in multiple formats
- β Responsive design (desktop & tablet optimized)
- β Dark/Light theme support
- β Gorgeous WebGL background effects
Click to see all 250+ supported secret patterns
- AWS Access Keys & Secret Keys
- Google API Keys & OAuth tokens
- GitHub Personal Access Tokens
- Slack tokens & webhooks
- Stripe API keys
- Database connection strings (MySQL, PostgreSQL, MongoDB)
- Private SSH keys
- JWT tokens
- Azure credentials
- Heroku API keys
- Twilio credentials
- And 230+ more...
See vibeleaks-rules.json for the complete list.
- Pre-commit checks: Scan your code before committing to catch secrets
- Security audits: Review legacy codebases for hardcoded credentials
- Learning tool: Understand what patterns constitute security risks
- Code reviews: Quick verification during PR reviews
- Open-source prep: Clean your codebase before open-sourcing
Just visit vibeleaks.dev - no installation needed!
-
Clone the repository
git clone https://github.com/nithinworks/vibeleaks.git cd vibeleaks -
Install dependencies
npm install
-
Start development server
npm run dev
-
Open your browser
http://localhost:5173
npm run buildThe production-ready files will be in the dist/ directory.
-
Install Vercel CLI (optional)
npm install -g vercel
-
Deploy
vercel
-
Production Deploy
vercel --prod
No environment variables needed! VibeLeaks runs entirely client-side.
The vercel.json configuration is already included for:
- β SPA routing (all routes redirect to index.html)
- β Asset caching (1 year cache for static assets)
- β Security headers (CSP, XSS protection, etc.)
-
Upload your code
- Drag & drop files/folders onto the upload area
- Or paste code directly into the text area
-
Start scanning
- Click "Scan for Secrets"
- Watch real-time progress as files are analyzed
-
Review results
- See all detected secrets grouped by severity
- Click on matches to view file location and code context
- Filter by severity level (Critical/High/Medium/Low)
-
Export findings
- Download results as JSON for automation
- Export as Markdown for documentation
- Save as CSV for spreadsheet analysis
# Navigate to your project
cd my-project
# Zip it (or select folder in browser)
zip -r project.zip .
# Upload to VibeLeaks and scanβββββββββββββββββββββββββββββββββββββββββββββββββββ
β React App β
β (Main Thread - UI & State Management) β
ββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β
β postMessage()
β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββ
β Web Worker β
β (Background Thread - Heavy Scanning Logic) β
β β
β β’ Parses files β
β β’ Applies regex patterns β
β β’ Matches against Gitleaks rules β
β β’ Returns results β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
- React 18 - UI framework
- TypeScript - Type safety
- Vite - Build tool & dev server
- Tailwind CSS - Styling
- Web Workers - Non-blocking scanning
- Three.js - WebGL background effects
- 250+ Detection Patterns - Comprehensive secret detection
The scanner uses detection rule definitions from src/config/vibeleaks-rules.json. You can:
- Add custom rules
- Modify severity levels
- Adjust regex patterns
- Disable specific detectors
See CONTRIBUTING.md for details on adding new rules.
We welcome contributions! Please see CONTRIBUTING.md for details on:
- How to report bugs
- How to suggest features
- Code style guidelines
- Pull request process
- Add support for custom rule files
- Entropy-based detection for unknown secrets
- Machine learning-based false positive reduction
- VS Code extension
- CLI version for CI/CD integration
- GitHub Action
- Pre-commit hook template
- Secret rotation guidance
- Integration with secret management tools (1Password, Vault)
- Historical scan comparison
- Team collaboration features
- Browser extension (Chrome/Firefox)
- Mobile responsive scanning
- Real-time code editor integration
- API for programmatic access
Want to help? Check open issues or suggest new features!
This project is licensed under the MIT License - see the LICENSE file for details.
- Gitleaks - For the excellent secret detection rules
- Security Community - For ongoing research into secret detection patterns
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Website: vibeleaks.dev
VibeLeaks is a detection tool and may produce false positives or miss certain patterns. Always:
- Review results manually
- Use in combination with other security practices
- Rotate any discovered secrets immediately
- Never commit secrets to version control
Made with β€οΈ by the open-source community
If VibeLeaks helped secure your code, give us a β on GitHub!