←back to thread

Show HN: KeyLeak Detector – Scan websites for exposed API keys and secrets

(github.com)
27 points amaldavid | 1 comments | 01 Nov 25 22:52 UTC | HN request time: 0.217s | source

I built this after seeing multiple teams accidentally ship API keys in their frontend code.

The problem: Modern web development moves fast. You're vibe-coding, shipping features, and suddenly your AWS keys are sitting in a <script> tag visible to anyone who opens DevTools. I've personally witnessed this happen to at least 3-4 production apps in the past year alone.

KeyLeak Detector runs through your site (headless browser + network interception) and checks for 50+ types of leaked secrets: AWS/Google keys, Stripe tokens, database connection strings, LLM API keys (OpenAI, Claude, etc.), JWT tokens, and more.

It's not perfect, there are false positives but it's caught real issues in my own projects. Think of it as a quick sanity check before you ship.

Use case: Run it on staging before deploying, or audit your existing sites. Takes ~30 seconds per page.

MIT licensed, for authorized testing only.

https://github.com/Amal-David/keyleak-detector

Show context
basilikum ◴[02 Nov 25 00:54 UTC] No.45786965[source]
> I've personally witnessed this happen to at least 3-4 production apps in the past year alone.

There is something seriously wrong in your organization when that's a repeating pattern. Secrets don't just accidentally make their way into the frontend unless the way you manage secrets is fatally flawed. Offensive security tools are great for finding issues by playing the role of an adversary, but they are not the solution to such an already known grave, fundamental, organizational problem.

replies(2): >>45787135 #>>45787747 #
1. amaldavid ◴[02 Nov 25 03:55 UTC] No.45787747[source]
Well, when i meant "personally" not in the app I manage. I have a quirk of checking sites to understand what they are using and how they are using and have stumbled upon sites with exposed Gemini, Google Maps, OpenAI keys etc.

https://news.ycombinator.com/item?id=45741569 - It was also partly inspired by this as I have seen legacy sites making these mistakes quite often.

With all the vibe coded apps that are getting launched or were launched early, there are enough holes to plug. This is just an attempt to help individuals or orgs to ensure they are not exposed. Just pushed it out what I had in mind based on my experience.

And I agree with you that an adversary approach won't work if we can't fix the underlying problem but the world has changed with enough vibe coded apps that are getting shipped everyday and very little of them care or know about security.