Security check

Leaked secrets in GitHub: find them before someone else does

A forgotten API key in an old commit is still valid and searchable. We scan your repos — including git history — for leaked secrets and show exactly where they are.

Run a free domain scan All checks →
Relates to: NIS2 · art. 21 — vulnerability handling ISO 27001 · A.8.24 cryptography / A.5.17 authentication info PCI DSS · requirement 8

What we check

We scan your repos with rule- and entropy-based detection for API keys, cloud credentials, private keys, tokens and passwords — not only in current code but through the entire git history where most leaks hide.

Why it matters

Removing a key from the latest commit doesn't help — it stays in history and is valid until rotated. Leaked credentials are one of the most common initial attack vectors, and an explicit requirement in PCI DSS and ISO 27001.

How Security Guru tests it

Common mistakes

  • Believing git rm removes the key — it stays in history
  • .env committed early and then gitignored — the leak is in history
  • No secrets scanning in CI, so new leaks are never caught
  • Public fork of a private repo carrying the history with it

What you get in the report

  • Each finding with repo, file, commit and key type (value redacted)
  • Whether the key is in history and needs rotation
  • Prioritised fix list: rotate first, scrub history second
  • Recommendation for a secrets gate in CI going forward

FAQ

Do you store our secrets?

No. We report location and type; the value itself is redacted and never stored in plaintext.

Is scrubbing history enough?

No — a leaked key must be rotated (it may already be copied). History scrubbing removes exposure going forward, but rotation is the real remediation.

Can it run locally?

The scan can run self-hosted so no code leaves your environment.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan