Secret Leak Scanner
The Secret Leak Scanner is your first line of defense against accidentally committing secrets to git. It checks three things: git tracking status, .gitignore coverage, and hardcoded secrets in source files.
Running the Scanner
Click 🔍 Scan for Secret Leaks in the Pro Tools panel, or run ENV Manager Pro: Scan for Secret Leaks from the Command Palette.
The scan runs locally — no data leaves your machine.
What It Checks
1. Git Tracking
The scanner runs git ls-files to check whether any .env* file (except .env.example) is tracked by git. If it is, you have a critical leak risk.
2. .gitignore Coverage
Even if .env files aren't tracked yet, they should be covered by .gitignore. The scanner verifies that patterns like .env, .env.*, and *.local appear in your .gitignore.
3. Hardcoded Secrets in Source
The scanner searches all non-excluded source files for patterns that look like hardcoded secrets:
| Pattern | What It Catches |
|---|---|
api[_-]?key\s*=\s*["'].+["'] | Hardcoded API keys |
secret\s*=\s*["'].+["'] | Hardcoded secrets |
password\s*=\s*["'].+["'] | Hardcoded passwords |
token\s*=\s*["'].+["'] | Hardcoded tokens |
private[_-]?key\s*=\s*["'].{20,} | Private keys |
sk-[a-zA-Z0-9]{20,} | OpenAI-style keys |
ghp_[a-zA-Z0-9]{36,} | GitHub PATs |
AKIA[0-9A-Z]{16} | AWS access keys |
-----BEGIN .* PRIVATE KEY----- | PEM private keys |
Excluded Directories
node_modules, .git, dist, build, .next, out, vendor, __pycache__, .turbo
Fix Actions
After the scan, the report shows each issue with a severity level. For .gitignore issues, a Fix .gitignore button adds the correct patterns automatically.
For hardcoded secrets in source, the report shows the file and line number so you can move the value to your .env file and replace it with process.env.SECRET_NAME.
Example Report
Secret Leak Scan Results
========================
✅ .env not tracked by git
⚠️ .gitignore missing pattern for .env.local
❌ Hardcoded secret found: src/db.js:14 — password="hardcoded123"