The API keys you almost shipped to prod — and the free scanner I built to catch them

I'm a solo maker shipping small apps, often with AI writing most of the code. The thing that kept me up at night: right before launch it's really easy to leave a live API key or an obvious vulnerability sitting in the codebase — especially when you didn't hand-write every line and you're moving fast.

So I built a small tool to catch that before it goes public. It's called presec.

What it does

You paste your code (or drop a zip), and it runs two passes on the server:

1. Regex rules scan for exposed secrets — AWS, Stripe sk_live_, OpenAI / Anthropic keys, Google, GitHub tokens, private keys, hardcoded passwords, committed .env files, etc. Public-intent keys like Stripe pk_ or a Supabase anon JWT get classified as false positives so the tool doesn't cry wolf.
2. Selected snippets go to an LLM to flag critical vulnerabilities and return the top 3 prioritized fixes with code.

You get one report: risk summary → exposed secrets (masked) → critical vulns → top 3 fixes. ~1 minute, free, no login.

It's an assistive check, not a full security audit — I'm clear about that in the tool itself. It's for catching the obvious, embarrassing stuff before strangers see it.

The leaks it keeps catching

• Admin / service-role keys in the repo. A Supabase service_role key (anything that bypasses row-level security) in your code is game over — whoever has it owns your DB.
• The classic committed .env. It's .gitignored… except that one time it wasn't.
• Hardcoded password= / secret= left over from "I'll fix it later."
• Public vs secret confusion — people panic over a pk_ (it's fine, it's public) while a real sk_live_ sits two lines down.

Funny aside: when I scanned presec's own repo, it flagged the example -----BEGIN PRIVATE KEY----- string in my README as a critical leak. So example patterns in docs are a false-positive category I still need to handle. Dogfooding works.

Stack

Next.js (App Router) + Tailwind + Supabase. The LLM call is server-side only (keys never touch the client), secrets are masked before storage, and results expire on a short TTL.

I'd love your take

I'm trying to figure out whether this is actually useful to other people or just to anxious me:

• Try it: https://presec.vercel.app
• 30-second feedback: https://tally.so/r/44G5kY

Does this solve a real pain for you? Would you pay for it (and if so, how much)? And — what's the most embarrassing thing you've almost shipped? 🙂

Comments

[Satyam Shree]

There are two types of developers: those who've almost shipped secrets to prod, and those who haven't checked their git history closely enough. 😅 Great build.

[한솔]

Ha, the second type is exactly who I built it for 😅 — that "it's gitignored… right?" moment hits way too often. If you ever point it at an old repo, I'd genuinely love to hear what skeletons it digs up.