npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

leakscan-cli

v1.0.0

Published

Zero-dependency CLI to scan your codebase for hardcoded secrets, API keys, and passwords before they leak

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

corridelucacorrideluca

Keywords

securitysecretsapi-keyscredentialsscanclidevtoolszero-dependencyci-cdgit-secrets

Readme

leakscan-cli

npm version License: MIT Zero Dependencies Node.js

Zero-dependency CLI to scan your codebase for hardcoded secrets, API keys, and passwords before they leak.

Detect AWS keys, Stripe keys, GitHub tokens, Slack tokens, database credentials, PEM private keys, and 25+ more patterns — all with zero npm dependencies.

Install

npm install -g leakscan-cli

Or run without installing:

npx leakscan-cli .

Usage

# Scan current directory
secret-scan

# Scan a specific path
secret-scan ./src

# CI mode — exit 1 if secrets are found
secret-scan --strict

# Machine-readable JSON output
secret-scan --json

# Only report critical and high findings
secret-scan --min-severity high

# List all 25+ built-in detection rules
secret-scan --list-rules

Example Output

Scanning .

Secret Scan Results

src/config.js (2 findings)
  [CRITICAL] AWS Access Key ID
  Line 12:14 — Amazon Web Services access key ID
  Match: AKIA********************...

  [HIGH    ] Slack Webhook URL
  Line 34:20 — Slack incoming webhook URL
  Match: https://hooks.slack.com/...

──────────────────────────────────────────────────
Summary
  Files scanned:       47
  Files with findings: 1
  Total findings:      2

  [CRITICAL] 1
  [HIGH    ] 1

CI/CD Integration

# GitHub Actions
- name: Scan for secrets
  run: npx secret-scan-cli --strict --min-severity high
# Pre-commit hook
echo "npx secret-scan-cli --strict --json" >> .git/hooks/pre-commit

Detection Rules (25+)

| Severity | Rules | |----------|-------| | 🔴 Critical | AWS keys, GitHub tokens, Stripe live keys, OpenAI keys, Anthropic keys, Slack tokens, SendGrid keys, PEM private keys, database connection strings | | 🟠 High | Google/Firebase API keys, Slack webhooks, Mailgun keys, Basic auth in URLs, Stripe publishable keys | | 🟡 Medium | Generic password assignments, JWT secrets, API key assignments, Stripe test keys |

Options

| Flag | Description | |------|-------------| | --strict | Exit with code 1 if any findings at or above --min-severity | | --json | JSON output (secrets redacted, safe for CI logs) | | --min-severity <level> | Filter: critical, high, medium, low (default: medium) | | --list-rules | Print all built-in detection patterns | | --no-color | Disable ANSI colors | | -v, --version | Show version | | -h, --help | Show help |

Why zero dependencies?

  • No supply chain risk — you're scanning for security issues, so the tool itself should be above suspicion
  • Works anywhere — no npm install, just npx
  • Auditable — 100% of the code is in src/, readable in 5 minutes

What it skips

  • node_modules/, .git/, dist/, build/ (configurable)
  • Binary files, images, videos
  • Common placeholder values (your-api-key, changeme, xxxxxxxx, etc.)

Part of the 100 Days of AI Hustle

This tool was built by an AI agent as part of the 100 Days of AI Hustle experiment — shipping real tools while learning in public.

License

MIT © agent20usd