DEV Community

Cover image for How This VSCode Extension Saves Your Code from Exposed Secrets?
Arpit Gupta
Arpit Gupta

Posted on • Edited on

3 1 2 2

How This VSCode Extension Saves Your Code from Exposed Secrets?

As developers, we’ve all been there—pushing code in a rush, only to realize moments later that we’ve accidentally committed sensitive information. Maybe it’s an API key, a database password, or a token that should have stayed private. The fallout can range from mild embarrassment to a full-blown security breach.

This exact scenario happened to me. That one careless push led to hours of damage control: revoking keys, updating configurations, and patching vulnerabilities. It was frustrating, but more than that, it got me thinking: Why are we relying on post-commit tools to catch these mistakes? Why not prevent them before they even hit Git?

That’s when I decided to build SecretStack, a Visual Studio Code extension designed to solve this problem at its root.


The Problem: Secrets in Code

Exposing sensitive information in your code is a common yet costly mistake. While there are great tools like git-secrets and truffleHog that scan repositories for secrets, they often operate after the fact. By the time they flag something, the damage might already be done:

  • The secret is in your commit history.
  • It could be cached in forks or clones.
  • Revoking and rotating keys becomes an urgent task.

In short, these tools are reactive, not proactive.


The Solution: SecretStack

SecretStack takes a different approach. It integrates directly into your coding workflow, scanning your files before you commit. The goal is simple: to help you catch exposed secrets early, so they never make it into your repository in the first place.

Get SecretStack here: SecretStack on VSCode Marketplace

SecretStack VSCode Extension


What Makes SecretStack Unique?

Here’s what SecretStack brings to the table:

1. Manual Scan Control

You’re in charge. With a single click on the Find Exposed Secrets button in the VSCode status bar, you can scan your entire workspace or specific folders. No automatic scans interrupting your workflow—just actionable insights when you need them.

2. Custom Pattern Detection

Every project is different, and so are the secrets it might contain. SecretStack lets you define custom regex patterns to detect specific types of secrets, like API keys, tokens, or internal credentials.

For example, you can add patterns like this to your settings:

"secret-stack.customPatterns": [
    {
        "name": "AWS Access Key",
        "regex": "AKIA[0-9A-Z]{16}",
        "severity": "High"
    },
    {
        "name": "GitHub Token",
        "regex": "ghp_[A-Za-z0-9_]{36}",
        "severity": "Medium"
    }
]
Enter fullscreen mode Exit fullscreen mode

3. Real-Time Feedback

SecretStack provides instant, time-stamped updates during scans. You’ll know how many files were scanned and whether any secrets were detected, all without leaving your editor.

4. Comprehensive Logs and Reports

After every scan, SecretStack generates:

  • A detailed log in .secret-stack-result.log, showing which files were scanned and what was detected.

SecretStack Logs

  • A visual HTML report in .secret-stack-report.html, summarizing detected secrets, their severity, and file locations. By default, these files are added to .gitignore to prevent accidental commits.

SecretStack HTML Report

5. Pre-Commit Scan Reminder

Ever forget to run a scan before committing? SecretStack has your back with a gentle nudge to run a quick scan before pushing your code.

SecretStack Precommit Scan Reminder

6. Handling False Positives

Not every flagged item is a real secret. For example, test keys or mock data might trigger a false positive. SecretStack makes it easy to dismiss these by clicking Ignore in the results view. This keeps your logs clean and focused on real risks.

SecretStack False Positives


How to Get Started with SecretStack

1. Install the Extension

Search for SecretStack in the VSCode Extensions Marketplace and click Install. Alternatively, download the .vsix file from the GitHub repository and install it manually.

2. Run Your First Scan

Once installed, click the Find Exposed Secrets button in the status bar. Choose to scan:

  • The entire workspace.
  • A specific folder within your project.

3. Review and Resolve

The results view will highlight detected secrets, showing the file path and line number. You can:

  • Click on a result to jump directly to the offending line.
  • Mark false positives as ignored.
  • Fix the exposed secrets before continuing.

4. Customize for Your Needs

Tailor SecretStack to your project by adding custom patterns or excluding irrelevant files (e.g., node_modules, .git).

"secret-stack.excludeFiles": [
    "**/node_modules", 
    "**/dist", 
    "**/*.min.js", 
    "**/package-lock.json", 
    ".git", 
    ".vscode", 
    ".secret-stack"
]
Enter fullscreen mode Exit fullscreen mode

SecretStack Custom Patterns


Why SecretStack?

This isn’t just a tool—it’s a philosophy. SecretStack encourages developers to adopt a proactive mindset about security. By catching mistakes early, you:

  • Protect sensitive information from exposure.
  • Save time and effort spent on post-commit fixes.
  • Build better coding habits that prioritize security.

Let’s Build a Safer Workflow Together

I created SecretStack because I saw a gap—a need for better pre-commit secret detection. But no tool is perfect, and I believe the best ideas come from collaboration.

If this extension resonates with you, give it a try. Open issues, suggest features, or contribute directly to the code. Let’s make coding safer for everyone.

Check it out on GitHub: SecretStack

Your feedback and contributions could shape the future of SecretStack. Let’s catch those secrets before they catch us.


About ArpitStack

I’m passionate about creating innovative, open-source solutions to simplify and enhance developer workflows. ArpitStack.com is my personal portfolio where I showcase my work, including projects like SecretStack, CloudStack, and more.

Feel free to explore my GitHub Repos for innovative solutions, and if you find my work valuable, consider supporting me through GitHub Sponsors or by buying me a coffee. Your support is greatly appreciated ❤️!

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (4)

Collapse
 
amiskundu profile image
Subhendu Kundu

Insightful..

Collapse
 
arpitstack profile image
Arpit Gupta

Thanks a ton!!

Collapse
 
wizard798 profile image
Wizard

Gonna use this, looks very promising

Collapse
 
arpitstack profile image
Arpit Gupta

Thanks! I’m thrilled you’re giving it a try – hope it works great for you!

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay