Scan .env files, config snippets, and CI logs locally for likely API keys, tokens, private keys, JWTs, and database URLs.
- Runs locally
- Category Developer & DevOps
- Best for Formatting, validating, shrinking, or inspecting code-adjacent text.
- Potential secrets found. Rotate real credentials and avoid sharing full values.
What this tool does
ENV Secret Scanner checks pasted configuration text for common credential patterns without sending it anywhere. It detects private key blocks, AWS access key IDs, GitHub tokens, Stripe secret keys, Slack tokens, Google API keys, OpenAI-style API keys, JWTs, database URLs, and generic secret, token, password, API key, and client secret assignments. Findings are masked by default so the report can be shared without exposing full credentials. Use it before committing .env examples, publishing docs, sharing CI logs, sending support bundles, or reviewing leaked snippets. It is not a full enterprise secret detection engine, but it catches the patterns that most often appear in developer workflows.
Tool details
- Input
- Files + Text + Numbers
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy + Download
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- Shareable URL state
- Key settings are encoded in the URL so another person can reopen the same setup.
- Performance budget
- Initial JS <= 118 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Developer & DevOps · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How ENV Secret Scanner fits into your work
Use it in the small gaps between coding, reviewing, debugging, and shipping.
Developer jobs
- Formatting, validating, shrinking, or inspecting code-adjacent text.
- Preparing snippets for documentation, tickets, commits, or handoff.
- Checking a small payload quickly without switching tools.
Developer checks
- Run irreversible transforms like minify or obfuscate on a copy.
- Keep secrets out of pasted snippets unless the tool explicitly stays local.
- Use your normal tests or linter before shipping transformed code.
Good next steps
These links move the current task into a more complete workflow.
- 1 .env File Validator .env file validator — parse Bash-style .env, detect dups / missing required / unsafe values / leaked secret patterns; cross-compare prod / staging / dev envs. Open
- 2 Password Leak Checker Password leak checker — check if your password has been seen in known breaches using k-anonymity (HIBP API style), the password never leaves your browser. Open
- 3 HTTP Security Header Auditor Audit raw response headers for HSTS, CSP, cookie flags, MIME sniffing, clickjacking, referrer, and permissions policy gaps. Open
Real-world use cases
Check logs before sharing
Paste CI, deploy, or support logs and confirm obvious tokens are masked before sending them.
Review .env examples before commit
Catch real-looking credentials that slipped into sample configuration files.
Common pitfalls
Sharing CI logs after a failed deploy without checking expanded environment variables.
Assuming keys in documentation examples are harmless because they were meant to be placeholders.
Privacy
The scanner masks findings and runs locally, but real credentials should still be rotated if exposed elsewhere.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- AES Text Encryptor Encrypt & decrypt text with a password — AES-256-GCM + PBKDF2 via WebCrypto — 100% in your browser, nothing uploaded
- Affine Cipher Encoder & Decoder Encrypt and decrypt the ax+b affine cipher with live modular-inverse check, browser-only