DEV Community

Cover image for SecAPI: Secure, AI-Driven API Key Management & Leak Prevention
Binayak Jha
Binayak Jha

Posted on

SecAPI: Secure, AI-Driven API Key Management & Leak Prevention

#devchallenge #githubchallenge

GitHub “Finish-Up-A-Thon” Challenge Submission

This is a submission for the GitHub Finish-Up-A-Thon Challenge

What I Built

SecAPI is a local-first, zero-trust CLI utility and key manager designed to make code security the easiest developer path.

Exposing secrets (like Stripe, OpenAI, or AWS keys) in repository files is one of the most common causes of credential leaks. Often, developers resort to plaintext .env files that can be accidentally staged and pushed, or struggle with complex vault set-ups.

SecAPI solves this with a seamless three-step command line workflow:

  1. Scans codebases for exposed API keys using fast regex rules or advanced AI analysis.
  2. Vaults secrets locally using strong AES-256 encryption derived via PBKDF2-HMAC (completely offline).
  3. Replaces raw hardcoded strings in code with secure, runtime references (load_key("key_name"))—preserving variable names, indentation, and comments.

It means we can keep our code secure, separate environments easily, and prevent pushes with unencrypted credentials—all without relying on cloud-based vault hosts.

Demo

The Scrolling CLI Showcase in Action

Check out the interactive scrollytelling page on secapi.netlify.app to see the simulator type out and execute the CLI commands (scanning, setting up vaults, applying smart code rewrites, checking the status board, and running the git pre-commit hook) in real-time as you scroll!

The Comeback Story

Where It Started

SecAPI was an abandoned CLI prototype. It was un-installable due to file packaging typos, suffered from weak vault security (a custom padding scheme instead of a standard key derivation function), had no recovery options if the master password was lost, and used a basic console print command to list keys. Furthermore, the AI scanner relied on outdated OpenAI package versions, creating environment conflicts.

What I Changed, Fixed, and Added

I gave the project a complete, ground-up overhaul to turn it into a premium, production-ready tool:

  1. Packaging & Installation: Fixed filename bugs (removed a rogue leading space on configuration files) and created a one-command installer script (install.sh) that auto-detects pipx or pip to set up the CLI globally.
  2. Vault Cryptography Upgrade: Replaced the weak padding scheme in secure.py with standard PBKDF2-HMAC (100,000 iterations of SHA-256) and a random salt to derive vault keys.
  3. Emergency Mnemonic Recovery Key: Added an automatic 24-character recovery mnemonic during vault initialization. Users can safely reset their master password via secapi recover without losing stored secrets.
  4. Automated Schema Migration: Implemented a helper that detects older flat JSON vaults and automatically migrates them to the new dual-encrypted schema upon execution.
  5. Smart LHS-Preserving Fixer: Rewrote the replacement engine in fixer.py to target only the string literal (RHS) of leaked assignments, leaving variable names (LHS), indentation, and comments untouched.
  6. Zero-Dependency Gemini 2.5 Flash Audit: Replaced the conflict-prone OpenAI module with a zero-dependency Gemini API client built using Python's standard urllib library. Implemented line-aware chunking to scan massive files without hitting token limits.
  7. Git Pre-Commit Hook Integration: Built secapi init-hook to install an executable git hook. It scans staged changes in a non-interactive mode and blocks commits if unencrypted secrets are introduced.
  8. ANSI TUI Dashboard: Upgraded the simple text listing to a responsive status board showing key names, ages in days, and colorful status badges (🟢 Active, 🟡 Rotate Soon, 🔴 Expired).
  9. Multi-Environment Profiles: Support for dev, staging, and prod vaults via CLI flags (--env) and environment variables (SECAPI_ENV).
  10. Testing: Wrote a complete test suite of 12 automated unit tests verifying cryptography, migrations, hook installations, and chunking, achieving 100% green status on pytest.

My Experience with GitHub Copilot

GitHub Copilot was an invaluable partner in reviving this codebase:

  • Refactoring Cryptography: Copilot helped write clean, standard PBKDF2-HMAC and AES GCM code using the cryptography library, ensuring the migration path was mathematically sound and didn't lose any legacy keys.
  • Creating the Zero-Dependency Client: Writing standard library urllib.request code for multi-part JSON API calls can be verbose. Copilot sped up the creation of the Gemini client, making it clean and robust against empty API responses.
  • Web Design Iterations: Copilot generated the Vanilla CSS styling and the intersection observers for the scrolling landing page, giving the project a modern, glassmorphic layout that immediately captures attention.

dev_to_username: binayak_jha

Top comments (0)