Scan your project for exposed secrets before they hit GitHub.
One command. Zero dependencies. Catches API keys, tokens, credentials, private keys, and dangerous files before you accidentally push them to a public repo.
Built by someone who accidentally exposed an API key in production. Learn from my mistakes.
# Scan current directory
npx env-armor .
# Scan a specific project
npx env-armor /path/to/your/projectThat's it. No installation, no configuration, no dependencies.
| Provider | Pattern | Severity |
|---|---|---|
| AWS | Access keys, secret keys | 🔴 CRITICAL |
| Anthropic | sk-ant-api* keys |
🔴 CRITICAL |
| OpenAI | sk-* keys |
🔴 CRITICAL |
| GitHub | Personal tokens, OAuth tokens | 🔴 CRITICAL |
| Stripe | Secret keys, publishable keys | 🔴 CRITICAL |
| Slack | Bot tokens, webhooks | 🔴 CRITICAL |
| Discord | Bot tokens, webhooks | 🔴 HIGH |
| API keys, Firebase keys | 🔴 HIGH | |
| Twilio | API keys | 🔴 HIGH |
| SendGrid | API keys | 🔴 CRITICAL |
| Generic | Passwords, secrets, tokens in code | 🟡 MEDIUM |
| Database | Connection strings (MongoDB, Postgres, MySQL, Redis) | 🔴 HIGH |
| SSH/Auth | Private keys, basic auth in URLs | 🔴 CRITICAL |
| JWT | Exposed JWT tokens | 🔴 HIGH |
Detects sensitive files that should never be committed:
.env, .env.local, .env.production, id_rsa, id_dsa, id_ed25519, .htpasswd, .pgpass, .netrc, .npmrc, credentials.json, service-account.json, secrets.yml, wp-config.php, and more.
Checks your .gitignore for missing patterns that should be there: .env, .env.local, .env.production, *.pem, *.key, credentials.json, etc.
╔═══════════════════════════════════════╗
║ 🛡️ ENV-ARMOR v1.0 ║
║ Secret Scanner for Developers ║
╚═══════════════════════════════════════╝
Scanning /Users/you/my-project...
Scanned 847 files in /Users/you/my-project
⚠ DANGEROUS FILES IN REPO
────────────────────────────────────────────────────────
✗ .env.local → src/.env.local
🔑 EXPOSED SECRETS FOUND: 3
────────────────────────────────────────────────────────
[CRITICAL]
✗ Anthropic API Key: src/lib/ai.ts:14
Found: sk-ant...XAAA
✗ Stripe Secret Key: src/lib/billing.ts:8
Found: sk_liv...4f2x
[HIGH]
✗ Database URL: src/config/db.ts:3
Found: postgr...5432
⚠ .gitignore MISSING PATTERNS
────────────────────────────────────────────────────────
! .env.production not in .gitignore
! credentials.json not in .gitignore
SCAN COMPLETE: 6 issues found
2 CRITICAL — rotate these secrets immediately.
Run this before every commit. Your future self will thank you.
- Skips noise:
node_modules,.git,dist,build,__pycache__,vendor,.next,.nuxt - Skips binaries: Images, fonts, videos, archives, compiled files
- Skips huge files: Files over 1MB are ignored (they're probably not config files)
- Exit code 1 if any CRITICAL secrets found (use in CI/CD pipelines)
- name: Scan for secrets
run: npx env-armor .env-armor exits with code 1 if CRITICAL secrets are found, which will fail your pipeline automatically.
I accidentally pushed an Anthropic API key to a public repo. By the time I noticed, it had been scraped. I had to rotate the key across three projects, update environment variables on two hosting platforms, and verify nothing was compromised.
That took two hours. This tool takes two seconds.
Run it before every push. Your future self will thank you.
MIT
Built by DrCookies84 | Part of the Ghost Layer Security ecosystem