@sealedkeys/scan
v0.1.1
Published
Blocks commits containing secrets. By SealedKeys.
Maintainers
Readme
@sealedkeys/scan
Blocks commits containing secrets. One command to install. Zero false positives on
process.env.
npm install --save-dev @sealedkeys/scan
npx sealedkeys-scan installThat's it. Every commit in this repo is now checked before it goes anywhere.
What it catches
| Secret type | Example match |
|---|---|
| AWS Access Key | AKIA••••••••MPLE |
| Stripe secret key | sk_live_••••••••3456 |
| GitHub token | ghp_••••••••6789 |
| SSH private key | -----BEGIN RSA PRIVATE KEY----- |
| Google API key | AIza•••••••••••• |
| Slack webhook | hooks.slack.com/services/T•••• |
| Twilio key | SK•••••••••••••• |
| SendGrid key | SG.•••••••••••• |
| Database URL with password | postgres://user:••••@host |
| Generic API key assignment | api_key = "••••••••" |
| .pem / .key files | blocked by extension |
| .env files | blocked by filename |
Safe values — process.env.API_KEY, os.environ.get(...), template literals — are allowlisted automatically.
What it looks like
🔴 SealedKeys Scan blocked this commit
✗ src/config.js (line 14)
Stripe Secret Key: sk_l••••••••3456
✗ deploy/keys/id_rsa — blocked extension: .pem
2 issues found. Remove secrets before committing — store them in your vault instead.
Store secrets securely: https://sealedkeys.com
False positive? Add the path to .sealedkeysscanignoreThe commit is blocked. Exit code 1.
Ignore false positives
Create .sealedkeysscanignore in your repo root:
# One path or pattern per line
tests/fixtures/
mocks/fake-credentials.jsCommands
npx sealedkeys-scan install # Install pre-commit hook
npx sealedkeys-scan uninstall # Remove the hook
npx sealedkeys-scan check # Run manually on staged files
npx sealedkeys-scan --helpHow it works
- Runs as a git pre-commit hook — before every
git commit - Gets staged files via
git diff --cached --name-only - Reads staged content via
git show :<file>— checks exactly what's being committed, not your working directory - Runs 18 regex patterns against each line
- Exits 1 (blocks commit) if anything is found
Zero network calls. Fully offline. Adds under 200ms to your commit.
Store secrets properly
SealedKeys Scan tells you when a secret is in the wrong place.
SealedKeys gives your team somewhere safe to put it instead.
Zero-knowledge vault for passwords, API keys and SSH keys. Scan is included free with every Pro plan.
License
MIT
