npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pi-secret-guard

v1.1.0

Published

A pi extension that guards against committing secrets, API keys, and credentials to git repositories using regex scanning.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

acarerdincacarerdinc

Keywords

pi-packagepi-extensionpisecret-scanningsecurity

Readme

pi-secret-guard 🔐

npm license

Catches secrets before they reach git. Regex scan for known patterns, then the agent reviews the diff for anything subtle.

A pi extension.

pi-secret-guard blocking a commit with AWS keys and database credentials

Install

pi install npm:pi-secret-guard

How It Works

Intercepts git commit and git push bash commands via pi's tool_call event.

git commit / git push
       │
       ▼
┌──────────────────┐
│ Get the diff     │  staged changes or unpushed commits
└──────┬───────────┘
       │
       ▼
┌──────────────────┐    Regex hit
│ Phase 1: Regex   │ ─────────────► 🚨 Hard block (must fix)
└──────┬───────────┘
       │ Clean
       ▼
┌──────────────────┐    Agent finds secrets
│ Phase 2: Agent   │ ─────────────► 🚫 Explains + helps fix
│ reviews the diff │
└──────┬───────────┘
       │ Clean
       ▼
  Agent re-issues
  the command      ──► ✅ Allowed (diff hash verified)

Phase 1 is fast and free — regex against 30+ known secret formats.

Phase 2 uses the agent already in your session. No extra API calls or config. The agent has full project context, so it can tell whether auth: "Tr0ub4dor&3" in a config object is a real password or a test fixture.

When the agent re-issues a blocked command, the extension verifies the diff hasn't changed (SHA-256 hash comparison, 5-minute expiry).

What It Catches

Regex Patterns (instant block)

| Category | Examples | |----------|----------| | Cloud providers | AWS keys (AKIA...), Azure connection strings, GCP service account keys | | API keys | OpenAI, Anthropic, Stripe, SendGrid, Twilio, Slack, Discord, Mailgun, Google | | VCS tokens | GitHub (ghp_, gho_, ghs_, github_pat_), GitLab (glpat-), Bitbucket (ATBB) | | Private keys | RSA, EC, DSA, OpenSSH, PGP headers | | Auth | JWTs, credentials in URLs, database connection strings with passwords | | Generic | Assignments to api_key, secret, password, token variables with long values |

Suspicious Files (flagged for review)

.env, .env.*, *.pem, *.key, *.p12, *.pfx, id_rsa, id_ed25519, credentials.json, service_account*.json, secrets.yaml, .htpasswd, .netrc

Agent Review (contextual)

Hardcoded passwords in config objects, database URLs with embedded credentials, tokens in unusual formats, anything that looks like it shouldn't be public. The agent already knows the project, so it understands context.

Behavior Details

git commit — scans git diff --cached. Handles git commit -a / --all by including unstaged tracked changes.

git push — scans unpushed commits via @{u}..HEAD, falls back to origin/main or origin/master.

Hard block — regex finds a known secret pattern. Masks the secret in the output. Won't allow re-issue until the secret is removed.

Soft block — regex is clean, agent reviews. If the agent says clean and re-issues, allowed through. If the diff changed between review and re-issue, requires fresh review.

Why Not Just GitHub Push Protection?

GitHub's push protection is a good last line of defense, but it operates at a different stage:

| | pi-secret-guard | GitHub Push Protection | |---|---|---| | When | Before git commit | Before git push | | Secret in git history? | Never enters | Already committed locally | | Cleanup | Just fix the file | Rewrite git history | | Contextual review | LLM reads the diff | Pattern matching only | | Catches subtle secrets | Hardcoded passwords, config objects | Only known token formats | | Works offline | Regex phase, yes | Requires GitHub remote |

We built this extension, and GitHub's own push protection blocked our test push because the test files contained realistic-looking fake tokens. We had to amend three times. The earlier you catch a secret, the cheaper the fix.

Alternative Install Methods

From GitHub:

pi install https://github.com/acarerdinc/pi-secret-guard

Manual (global):

git clone https://github.com/acarerdinc/pi-secret-guard ~/.pi/agent/extensions/pi-secret-guard

Quick test (no install):

pi -e /path/to/pi-secret-guard

License

MIT