Find hardcoded secrets in your codebase — before someone else does.

Secret scanning checks your codebase and git history for hardcoded API keys, tokens, private keys, and credentials. inkode uses gitleaks — the same tool used by GitHub's secret scanning feature — and surfaces every match with the file, line, and rule that triggered it. Runs locally in under a minute. No source code leaves your machine.

Scan for Secrets Block Secrets in CI

Every common secret type, and many uncommon ones.

Cloud provider keys

AWS access key IDs and secret access keys, GCP service account JSON, Azure connection strings and storage keys. The credentials that give an attacker admin access to your infrastructure.

API tokens and keys

Stripe, Twilio, SendGrid, OpenAI, Anthropic, GitHub, Slack, and hundreds more. gitleaks ships with 150+ detector rules covering the patterns that major API providers use for their tokens.

Database credentials

Connection strings with embedded passwords — postgres://user:password@host, MySQL DSNs, Redis URLs with AUTH tokens. The kind of thing that ends up in a .env file that gets committed once.

Private keys and certificates

RSA, ECDSA, and PEM-encoded private keys. SSH private keys. JWT signing secrets. If it looks like a private key, gitleaks flags it — regardless of the filename.

Secret scanning output — file, line, and rule.

$ ik run inkode · my-app Secret Scanning 3 findings 1.2s (gitleaks) aws-access-token config/settings.py:14 AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" stripe-secret-key src/billing/client.go:8 apiKey := "sk_live_4eC39HqLyjWDarjtT1zdp7dc" github-pat scripts/deploy.sh:22 (git history: 3 commits ago) GITHUB_TOKEN=ghp_16C7e42F292c6912E7710c838347Ae178B4a Score 41 / 100 grade F (security: 12) Report .ik/brief.html

The security category is weighted heavily — a single confirmed secret drops your score significantly.

Committed once, stays forever — unless you know where to look.

A secret removed from a file still lives in git history. gitleaks scans the full commit history by default — not just the current working tree — which means a key deleted six months ago can still be discovered, rotated, and marked resolved. If you don't find it first, a motivated attacker will.

Why AI-generated code makes this worse

AI coding tools often scaffold configuration with placeholder strings that look like real credentials, or complete a code block with the secret already in the variable assignment. The code works — and the secret ships.

Block secrets before they merge

Wire inkode into your CI pipeline. Every PR gets scanned. If a secret is detected, the quality gate fails and the merge is blocked. The GitHub Action installs in under five minutes.

Scan for secrets in one command.

$ curl -fsSL https://inkode.co/install.sh | sh $ cd your-repo && ik init && ik run

Find the secrets hiding in your codebase

Free scan, runs locally, no source code uploaded. Or block secrets from merging with the CI integration.

Scan for Secrets Free Set Up CI Quality Gate

Secret scanning runs inside every language scannerGo, Java, Python, Rust, and TypeScript.