Passive API key and secret discovery browser extension for Chrome and Firefox. 80+ detection patterns, zero config.

Runtime leak detector for modern web apps — finds exposed API keys, validates BaaS misconfigurations (Supabase/Firebase RLS), and catches secrets in JS bundles. Chrome extension + CLI.

Open-source cybersecurity analysis agent for Claude Code. Scans projects for vulnerabilities across all OWASP 2025 Top 10 and CWE Top 25 categories. 11 security domains, 60+ secret patterns, parallel subagent analysis, professional report generation. Built by tododeia.com

Open-source secret scanner in Rust. Service-specific detectors, SIMD on the CPU and an optional GPU path, live verification of which leaked keys are still active, and SARIF output.

High-performance open-source security scanner combining SAST, SCA, Secret Detection, and IaC analysis, built for developers and CI/CD pipelines, using AI for recommendation!

AI agent firewall that intercepts tool calls (file, shell, network) and enforces deterministic policies at sub-microsecond latency using CEL, IFC, secret scanning, and audit logging.

🔍 Gitsint is a cutting-edge OSINT platform designed for security researchers, threat intelligence teams, and developers. Uncover hidden connections, detect exposed secrets, and map digital footprints across GitHub's vast ecosystem.

AI-native security copilot for Python developers. Scans for secrets, vulnerabilities, and dependency CVEs — then tells you how to fix them.

Argus brings “a hundred eyes” to your project, combining leading open source security tools into a scalable, automated, continuous security pipeline.

Burp Suite extension for passive JS reconnaissance - detects 1,600+ secret patterns, API keys, endpoints, and security misconfigurations in HTTP responses in real-time.

A developer CLI tool that manages .env files, detects secret leaks, syncs env drift across teammates, and validates environment parity between local/staging/prod all from your terminal. Written in Go.

JSpider is a smart crawler for hidden endpoints. It crawls and extracts hidden API endpoints and URLs from JavaScript files and HTML source code - all directly in your browser.

A curated list of tools for credential discovery.

Some useful functionality to detect secrets

ALNUR — Open-source end-to-end security vulnerability scanner. Detects CVEs, hardcoded secrets, architecture flaws, and port risks across Node.js, Python, PHP, Go, Rust, Java, .NET, Ruby and more

Zero-config pre-commit secret scanner for Git repositories.

Automatically redacts sensitive data in screenshots before sending to AI agents

🔒 Security scanner for AI Skills | Detect dangerous commands, prompt injection, secrets, and suspicious patterns before install

Fast Python static analysis powered by Rust. Detects dead code, security issues (including taint analysis), and code quality metrics like complexity, Halstead, maintainability, and nesting depth.

Local MITM proxy that keeps secrets out of LLM traffic.