←back to thread

Show HN: KeyLeak Detector – Scan websites for exposed API keys and secrets

(github.com)
27 points amaldavid | 1 comments | 01 Nov 25 22:52 UTC | HN request time: 0s | source

I built this after seeing multiple teams accidentally ship API keys in their frontend code.

The problem: Modern web development moves fast. You're vibe-coding, shipping features, and suddenly your AWS keys are sitting in a <script> tag visible to anyone who opens DevTools. I've personally witnessed this happen to at least 3-4 production apps in the past year alone.

KeyLeak Detector runs through your site (headless browser + network interception) and checks for 50+ types of leaked secrets: AWS/Google keys, Stripe tokens, database connection strings, LLM API keys (OpenAI, Claude, etc.), JWT tokens, and more.

It's not perfect, there are false positives but it's caught real issues in my own projects. Think of it as a quick sanity check before you ship.

Use case: Run it on staging before deploying, or audit your existing sites. Takes ~30 seconds per page.

MIT licensed, for authorized testing only.

https://github.com/Amal-David/keyleak-detector

Show context
basilikum ◴[02 Nov 25 00:54 UTC] No.45786965[source]
> I've personally witnessed this happen to at least 3-4 production apps in the past year alone.

There is something seriously wrong in your organization when that's a repeating pattern. Secrets don't just accidentally make their way into the frontend unless the way you manage secrets is fatally flawed. Offensive security tools are great for finding issues by playing the role of an adversary, but they are not the solution to such an already known grave, fundamental, organizational problem.

replies(2): >>45787135 #>>45787747 #
hrimfaxi ◴[02 Nov 25 01:36 UTC] No.45787135[source]
You're not wrong. How are these things passing review? Are prs too big and should be broken down into more manageable pieces? Or people just yolo to prod?

Secrets exposure is just one of your problems if there are not processes in place to catch this upstream.

That being said, this is a show hn and we should be gentler with criticism. The tool is still very useful even for mature organizations to identify blind spots and process failures.

replies(3): >>45787715 #>>45787771 #>>45789153 #
1. ◴[02 Nov 25 03:43 UTC] No.45787715[source]