A forgotten API key in an old commit is still valid and searchable. We scan your repos — including git history — for leaked secrets and show exactly where they are.
Run a free domain scan All checks →We scan your repos with rule- and entropy-based detection for API keys, cloud credentials, private keys, tokens and passwords — not only in current code but through the entire git history where most leaks hide.
Removing a key from the latest commit doesn't help — it stays in history and is valid until rotated. Leaked credentials are one of the most common initial attack vectors, and an explicit requirement in PCI DSS and ISO 27001.
git rm removes the key — it stays in history.env committed early and then gitignored — the leak is in historyDo you store our secrets?
No. We report location and type; the value itself is redacted and never stored in plaintext.
Is scrubbing history enough?
No — a leaked key must be rotated (it may already be copied). History scrubbing removes exposure going forward, but rotation is the real remediation.
Can it run locally?
The scan can run self-hosted so no code leaves your environment.
Run a free scan or order a full Security Assessment — prioritised, not noise.
Run a free domain scan