ZeroData Tools
Tools
JSON Formatter Format and validate JSON instantly with no uploads, no server calls, and no stored data. JSON Validator Validate JSON instantly before deploys with local processing and zero server calls. YAML Validator Validate YAML files and catch indentation errors instantly with no uploads or backend processing. Base64 Encoder Encode or decode Base64 strings instantly with zero uploads. URL Encoder Encode and decode query parameters locally for APIs, redirects, and forms. HTML Formatter Pretty-print messy markup and inspect structure without exposing page code. CSS Minifier Shrink stylesheets for production with browser-only processing and instant output. JavaScript Beautifier Reformat dense JavaScript into readable code locally for debugging.

Secret Scanner

Scan code and config files for leaked API keys, tokens, and secrets — entirely in your browser with zero uploads.

Advertisement
Secret Scanner
Scan code for leaked API keys and tokens. Everything stays in your browser.
Ctrl+Enter Scan30+ patterns
Code / Config InputPaste code to scan
Scan ResultsFindings
ReadyBrowser only
Paste code or configuration and click Scan to detect leaked secrets.

How ZeroData protects your privacy

  • No Uploads: Processing happens entirely via client-side JavaScript.
  • No Storage: We do not have a database. We physically cannot save your data.
  • No Tracking: We don't log what you process or track your inputs.
  • Verifiable: Check your DevTools Network tab. You will see 0 outbound requests.

How to Use the Secret Scanner

  1. Paste your code, configuration, or environment file into the input editor.
  2. Click Scan for Secrets to run the pattern detection.
  3. Review any findings with severity levels and line numbers.
  4. Rotate any exposed credentials and update your codebase.
Advertisement

Frequently Asked Questions

Is my code uploaded to a server?

No. All pattern matching runs locally in your browser using JavaScript regex. Your source code never leaves your device.

What types of secrets does it detect?

It detects AWS keys, GitHub tokens, Google API keys, Stripe keys, Slack tokens, private keys, database URLs, JWT tokens, npm tokens, SendGrid keys, Twilio SIDs, and generic API key/secret patterns.

What should I do if it finds a secret?

Immediately rotate (regenerate) the exposed credential in the respective service's dashboard. Then remove it from your code and use environment variables or a secrets manager instead.

Is this a replacement for tools like GitLeaks?

This is a quick pre-commit check for individual files. For comprehensive repository-wide scanning, we recommend also using GitLeaks, TruffleHog, or GitHub's built-in secret scanning.

Explore more ZeroData utilities

Related Tools

Password Strength Checker

Check how strong your password is locally — entropy analysis, time-to-crack estimate, and zero data upload.

HTTP Header Analyzer

Parse and analyze HTTP response headers for security issues. Check CSP, HSTS, and more — locally in your browser.

Log File Anonymizer

Strip IPs, emails, API keys, and other PII from server logs. Regex-based scrubbing runs entirely in your browser.

Bcrypt Hash Verifier

Verify bcrypt password hashes and generate new ones entirely in your browser. Your passwords never leave your machine.

© 2026 ZeroData Tools. All rights reserved.