INFRAVEILLive demo →
● Free tool · 100% client-side · nothing uploaded

Did you leak a secret?

Paste code, a .env, or a config file and instantly find exposed secrets — AWS keys, Stripe keys, GitHub tokens, private keys, database passwords, JWTs. Everything runs on your device; nothing is sent anywhere, and matches are masked in the results.

ℹ️Pattern-based scan of the text you pasted. It catches the common, high-signal secret formats — treat a clean result as a good sign, not a guarantee. Matches are masked; assume any flagged secret is already compromised.
🔒 100% client-side · your code never leaves this page · results are masked · this page sends nothing to us — open DevTools → Network and check, or scan with your Wi-Fi off

Why a leaked key is an emergency

The moment a secret touches a repo, a build log, a screenshot, or a paste — even a private one — assume it's compromised. Bots scan public GitHub for AWS and Stripe keys within seconds of a push, and a live key is enough to spin up servers on your bill or drain an account. The fix is never "delete the commit" — the commit still contains it. The fix is rotate first, then clean up.

Where secrets leak from

Almost always the same places: a .env that slipped into version control, a key hardcoded "just to test," a connection string with the password inline, or a secret baked into a Docker image via ENV/ARG where anyone who pulls the image can read it. Keep secrets out of code and images entirely — inject them at runtime.

This finds the leak. Infraveil shrinks what a leak can do.

Infraveil is a control plane you run on your own servers. Agents and workloads act through it — never with raw production credentials — and every action is scoped to least privilege and written to a tamper-evident audit trail. So a leaked credential has a small blast radius and a clear record, instead of being the keys to the kingdom.

See the live demo →

Frequently asked questions

Is it safe to paste my code or .env?

Yes — it runs entirely in your browser, nothing is uploaded or logged, and matches are masked in the results. It works offline.

I committed an API key — now what?

Rotate it immediately (assume it's compromised), then move it to a secret store / runtime env var, and purge it from git history. Rotating first is the only step that actually stops the exposure.

What does it detect?

AWS, Stripe, GitHub, Google, Slack, OpenAI/Anthropic, SendGrid, npm, PEM private keys, JWTs, DB connection strings with passwords, and generic secret/password/api-key assignments with real values.

How do I stop this from happening?

Keep secrets out of code/images, inject at runtime, and put a control plane in front of prod that scopes access and audits every action. That's what Infraveil does →