Find hardcoded secrets in your codebase — before someone else does.
Secret scanning checks your codebase and git history for hardcoded API keys, tokens, private keys, and credentials. inkode uses gitleaks — the same tool used by GitHub's secret scanning feature — and surfaces every match with the file, line, and rule that triggered it. Runs locally in under a minute. No source code leaves your machine.
Every common secret type, and many uncommon ones.
AWS access key IDs and secret access keys, GCP service account JSON, Azure connection strings and storage keys. The credentials that give an attacker admin access to your infrastructure.
Stripe, Twilio, SendGrid, OpenAI, Anthropic, GitHub, Slack, and hundreds more. gitleaks ships with 150+ detector rules covering the patterns that major API providers use for their tokens.
Connection strings with embedded passwords — postgres://user:password@host, MySQL DSNs, Redis URLs with AUTH tokens. The kind of thing that ends up in a .env file that gets committed once.
RSA, ECDSA, and PEM-encoded private keys. SSH private keys. JWT signing secrets. If it looks like a private key, gitleaks flags it — regardless of the filename.
Secret scanning output — file, line, and rule.
The security category is weighted heavily — a single confirmed secret drops your score significantly.
Committed once, stays forever — unless you know where to look.
A secret removed from a file still lives in git history. gitleaks scans the full commit history by default — not just the current working tree — which means a key deleted six months ago can still be discovered, rotated, and marked resolved. If you don't find it first, a motivated attacker will.
AI coding tools often scaffold configuration with placeholder strings that look like real credentials, or complete a code block with the secret already in the variable assignment. The code works — and the secret ships.
Wire inkode into your CI pipeline. Every PR gets scanned. If a secret is detected, the quality gate fails and the merge is blocked. The GitHub Action installs in under five minutes.
Scan for secrets in one command.
Find the secrets hiding in your codebase
Free scan, runs locally, no source code uploaded. Or block secrets from merging with the CI integration.
Secret scanning runs inside every language scanner — Go, Java, Python, Rust, and TypeScript.