Back to blog
Medium6/10/2025

Secret-Scanner: A project to detect secret keys like API, password, and many more.

Drona Raj Gyawali

At the first place, what is Secret-Scanner? Suppose you are working on a project and your project demands a lot of external service configurations such as OpenAI, Gemini, AWS, secret keys, etc. So while working on it, you might mistakenly leak some secrets in the project. Assuming that the project is public, then it’s a big chaos. So, my project can save you from those leaks.

Secret-Scanner is not the only project in the market; there are thousands of projects similar to this. But why did I create it? The reason to create this project is self-learning + my second-semester project. Instead of building some useless terminal work like note-taking etc., I thought to build something useful.

In this writing, I will try to focus more on how I built it. The first step was simple — I researched. I went through thousands of articles, asked a lot of questions. Priority was scalability and fast performance. As I was building this using C++, performance was going to be great. However, I added a layer of thread pooling on it. Yes, I built my custom threadpool logic for this, because if you have a good system, you want to get fast results, isn’t it? Jokes aside, imagine you have a project with more than 10+ subprojects like a monorepo thing — guessing the count of files can be 100 to 300. So in this case, we want to utilize our system cores to the fullest. This was the main reason for the threadpool.

How exactly does it scan based on proof?
The project itself doesn’t use any API etc. It uses a simple and powerful thing — regex. Yes, you heard me right. Currently, the project has 60+ product API keys, secrets, etc., and they can also be added according to the need. And the main thing all our regexes are well-maintained & well-written with some test cases.

Features that I added?
The main feature is the scanner engine, which I described to you earlier, written in C++ and also utilized as a CLI tool. You and I are good at programming but what about others who don’t understand CLI, sudo apt, etc.? For them, I built a VSCode Extension. So now you install the extension on VSCode named Secret-scanner-pro, click the icon at the bottom side of the editor, and boom you can scan your project and fix the errors. For more features, please see this Link, and don’t forget the extension is using that CLI tool I mentioned earlier under the hood, so you have to install that secret-scanner first on your system globally, which you can get on GitHub please view it from here: Link

Future plan
As this is my university second-semester project, I am not going to spend more time on it. However, I will continuously add updated regex keys. Saying that, I am planning to add one feature: with this feature, the user can add the repo link and it will scan on the fly something like this:
 ./secret-scanner https://github.com/user/repo
That’s it. With this feature, I hope my work is finished. I don’t know by the time if this feature is built — you can comment blaming the issue — and if it is not built, stay kind. I am probably doing my university assignment.

That’s all, thank you for reading.