63
secret detectors
● Open-source secret scanner · MIT · by HodeTech
Some secrets shouldn't be visible.
Leakwatch finds the ones that are.
Detect, verify, and report leaked API keys, tokens, and credentials across code, Git history, containers, and the cloud — then watch the redactions lift.
63 detectors · 54 live verifiers · 6 sources · exit-code aware
▣prod.env
01DB_HOST=db.internal.acme.io
02AWS_ACCESS_KEY_ID=AKIA3F7QExampleR8XZ
CRITICALaws-access-key-id✓ verified active
03JWT_SECRET=eyJhbGciOiJIUzI1NiJ9
HIGHjwtunverified
04OPENAI_API_KEY=sk-proj-Example9aZ
CRITICALopenai-api-key✓ verified active
3 findings
Leakwatch finds the secrets that shouldn't be visible.
54
live verifiers
6
scan sources
4
output formats
§ 01
The case file
Every finding is logged like evidence: what it is, where it was found, how severe it is, and whether the key is still live. Verified-active keys are incidents — the rest is triage.
#SeverityDetector / locationStatusAction
01CRITICALaws-access-key-id
config/prod.yaml:12✓ verified activerotate now
config/prod.yaml:12✓ verified activerotate now
02CRITICALopenai-api-key
.env:3✓ verified activerotate now
.env:3✓ verified activerotate now
03HIGHjwt
src/auth.go:88unverifiedreview
src/auth.go:88unverifiedreview
§ 02
Six watch points
Secrets leak through more than source files. Leakwatch reaches into history, build artifacts, the cloud, and chat.
Filesystemscan fs
Walk a directory tree; skip binaries and lock files automatically.
Git historyscan git
Every commit — recover secrets that were committed and later deleted.
Container imagesscan image
Inspect OCI/Docker image layers directly. No Docker daemon required.
AWS S3scan s3
Bucket objects via your existing AWS credential chain.
Google Cloudscan gcs
Cloud Storage objects with Application Default Credentials.
Slackscan slack
Message text across channels and DMs for pasted credentials.
§ 03
Chain of custody
A keyword pre-filter shortlists candidate detectors before any regex runs, so scans stay fast even across full Git history.
01
Source
Stream chunks from files, Git, images, cloud, or Slack.
02
Pre-filter
Aho-Corasick keyword matching shortlists detectors.
03
Match
Shortlisted detectors run precise regex patterns.
04
Verify
Eligible findings are checked against the live provider API.
05
Report
Filter by severity; emit JSON, SARIF, CSV, or a table.
§ 04
Is it still live?
Detection is half the job. For most secret types, Leakwatch makes a controlled, read-only API call to the provider to confirm whether a key is active — separating real incidents from noise.
Live verifiedA read-only API call confirms the key is active or inactive.~49
Format checkedValidated by structure where no safe live check exists.5
Not verifiableNo public verification API (e.g. JWTs, private keys) — still detected, triaged manually.9
§ 05
Reports that fit your workflow
JSON
Structured findings for tooling and automation.
SARIF
v2.1.0 — upload straight to GitHub Code Scanning.
CSV
Spreadsheet-ready, sanitized against formula injection.
Table
Colorized terminal output for local triage.
§ 06
Redacted index — 63 detectors
A sample of the catalog. 54 of these can be verified against the live provider. Add your own with YAML custom rules.
aws-access-key-idgcp-service-accountopenai-api-keyanthropic-api-keygithub-tokenstripe-api-key-livesendgrid-api-keyslack-tokentwilio-api-keydigitalocean-tokendatadog-api-keycloudflare-api-tokennpm-tokenprivate-keyjwtshopify-access-tokensupabase-service-keygitlab-patvercel-token+ 44 more · view full catalog →
Declassify your repo
One static binary. No daemon, no runtime dependencies. Install it your way.
$
brew install HodeTech/tap/leakwatch$
go install github.com/HodeTech/leakwatch@latest$
docker run --rm -v $(pwd):/scan ghcr.io/hodetech/leakwatch scan fs /scan