Open source · MIT · 100% local

Find leaked API keys before you ship

KeyLeak Detector is a runtime secret scanner. It catches exposed API keys, secrets in JavaScript bundles, and Supabase/Firebase misconfigurations that static scanners never see — then proves they're exploitable.

Add to Chrome → View on GitHub

$ keyleak browser-scan https://app.acme.dev --baas-validate

BLOCK SHIP: 1 critical, 1 high, 2 medium
  ● GEMINI API KEY — live (rotate now) · app.bundle.js
  ● SUPABASE — table `profiles` readable with anon key (no RLS)
Re-test: keyleak browser-scan https://app.acme.dev --baas-validate

20+

API key providers detected

providers with live key testing

200+

first-party domains suppressed

data sent anywhere

What makes it different

Static scanners read source. KeyLeak watches runtime.

The secrets that hurt you are the ones your users actually receive — injected at build time, served in bundles, exposed by misconfigured backends. KeyLeak inspects the running app and validates what it finds.

⚡

Runtime key detection

Scans live traffic, inline scripts, minified bundles, headers, and API responses for keys from OpenAI, Anthropic, Gemini, Stripe, GitHub, AWS, and 20+ providers.

🛡️

BaaS RLS validation

A Supabase anon key is harmless if Row-Level Security works. KeyLeak probes the REST API to test whether it does — read-only, using Prefer: tx=rollback so it never writes data.

✓

Live key testing

The TEST button validates whether a found key is still active across 14 providers, and surfaces the authenticated identity and scopes. A dead key is noise; a live one is an incident.

🔑

JWT claim analysis

Decodes tokens in place and flags risky claims — service_role, admin flags, broad scopes, and decade-long expiries — no verification or secret required.

🌐

Site scanner

One command discovers subdomains, crawls pages, and scans everything for secrets and BaaS vulnerabilities across a whole site.

🔕

Fewer false positives

200+ first-party domains and 87 vendor CDNs are suppressed, so browsing Google, AWS, GitHub, or Stripe never lights up red.

How it works

From browse to verdict in one step

Every serious scan ends with four things: a verdict, redacted proof, an exact fix, and a re-test command.

Scan

Load a page in the Chrome extension, point the CLI at a preview URL, or run keyleak local over your files. KeyLeak captures runtime traffic and bundles.

Validate

Found keys are tested live; BaaS endpoints are probed for missing RLS and public buckets. Findings are proven, not just pattern-matched.

Ship or block

You get SAFE TO SHIP, REVIEW, or BLOCK SHIP with remediation and a re-test command — perfect as a CI launch gate.

Coverage

What KeyLeak detects

From cloud credentials to backend misconfigurations to local config leaks.

Category	What	How
BaaS misconfig	Open Supabase tables, missing RLS, public storage buckets, callable RPCs	Active validation — probes the REST API with only the anon key
API keys	OpenAI, Anthropic, Gemini, Stripe, GitHub, AWS + 20 more	Regex detection + live TEST validation
JWT analysis	service_role exposure, admin flags, broad scopes, long expiry	Decode + claims analysis
Supply chain	npm lifecycle hooks, Git-ref optionalDeps, Pwn Request patterns	AST + fingerprint detection
Local config	.env, MCP configs, CI workflows, Docker files, source maps	`keyleak local` scanner

Install

Three ways to run it

Use the surface that matches your workflow — they share one detection engine.

🧩 Chrome Extension

Real-time detection as you browse, with live key testing and JWT decoding.

chrome://extensions
→ Load unpacked
→ select extension/

📦 PyPI / CLI

Scan live apps, whole sites, or local files from the terminal.

pip install keyleak-detector
keyleak browser-scan URL --html

⚙️ GitHub Action

Gate preview deployments in CI on Vercel, Netlify, Render & more.

uses: Amal-David/keyleak-detector@v0.5.0
with:
  mode: browser

FAQ

Questions, answered

What is KeyLeak Detector?

KeyLeak Detector is an open-source runtime security scanner for web apps. It finds API keys and secrets that only appear at runtime — in live traffic, JavaScript bundles, headers, and API responses — and validates Backend-as-a-Service misconfigurations such as missing Supabase Row-Level Security. It ships as a Chrome extension, a Python CLI, and a GitHub Action.

How is it different from GitLeaks or TruffleHog?

GitLeaks, TruffleHog, and GitHub secret scanning read source code to find hardcoded secrets. KeyLeak inspects the running application — the browser traffic and bundles your users actually receive — so it catches secrets injected at build or runtime that never appear in source. It also actively proves exploitability, for example by probing whether a Supabase anon key can read protected tables. It complements source scanners rather than replacing them.

Does KeyLeak send my data anywhere?

No. All analysis runs locally in your browser or on your machine. KeyLeak collects no data, has no telemetry or tracking, requires no account, and never transmits findings to an external server. Findings are stored only in your browser's local storage and cleared when the tab closes.

Which providers does it detect and test?

KeyLeak detects keys from 20+ providers including OpenAI, Anthropic, Gemini, Stripe, GitHub, AWS, Groq, Hugging Face, OpenRouter, SendGrid, and Slack. Its TEST feature validates whether a found key is still live for 14 of those providers, and surfaces the authenticated identity and scopes.

Is it free?

Yes. KeyLeak Detector is free and open source under the MIT license. The Chrome extension, CLI, and GitHub Action are all free to use.

Can I use it in CI/CD?

Yes. The GitHub Action runs on preview deployments from Vercel, Netlify, Render, Railway, and anywhere a preview URL is generated. It supports SARIF upload, configurable fail-on thresholds, and a launch-gate profile that blocks merges on high or critical findings.