DEV Community

Shibbir Ahmed
Shibbir Ahmed

Posted on

I built a tool that catches leaked secrets before `npm publish` — then GitHub caught mine

#javascript #security #showdev #tooling

We've all seen the horror stories: someone leaks an API key and wakes up to a $30k cloud bill, or accidentally publishes private code that's now public forever. And with AI tools making everyone ship faster than ever, it's happening more — not less.

Here's the part that surprised me. Most security tools scan your source code or your commits. But a lot of the worst leaks happen somewhere else entirely: in the published package — the exact files npm actually sends out.

Earlier this year, a major AI company accidentally shipped its own source code in an npm package — around 500,000 lines, exposed through a source map that slipped into the build. Their code scanners didn't catch it, because the mistake wasn't in the code. It was in what got packaged.

That gap bugged me, so I built a tiny tool for it.

LeakGate

It runs right before you publish and checks exactly the files npm would actually send (via npm pack), for things you never want to go public:

  • Hardcoded keys — AWS, Stripe, OpenAI, Anthropic, Google, GitHub, Slack
  • Database URLs with passwords, and private key blocks
  • Dangerous files — .env, source maps, .git, .pem/.key, DB dumps, .npmrc

One command, no config:

npx leakgate
Enter fullscreen mode Exit fullscreen mode

Example output on a messy project:

LeakGate — pre-publish safety check
Checked 5 files that npm would publish.

✗ Stop — found 2 serious problems.

CRITICAL  Stripe live secret key
          in src/index.js:2  (sk_liv…fGh)
          → Remove it and roll the key in your Stripe dashboard.

CRITICAL  Environment secrets file (.env)
          in .env
          → Add the .env file to your .npmignore / .gitignore so it is never published.
Enter fullscreen mode Exit fullscreen mode

It exits with code 1 when it finds something, so you can wire it into prepublishOnly or CI to block a risky release.

The part that made me laugh

While pushing LeakGate to GitHub, GitHub's own secret scanner blocked my push — it caught the fake test secrets in my test fixtures. Two scanners doing their job, and the tool basically proved its own point before it even launched. 😅

Honest status

It's free and open source (MIT), and it's an early v0.1 — npm/JavaScript only for now. Bigger tools like Snyk and GitGuardian do far more at the org level; LeakGate is deliberately the tiny, zero-setup "check before you ship" piece I wanted for myself.

If you publish to npm, give it a run before your next release. And I'd genuinely love feedback: would you use this before publishing, and what should I add next? (More languages? A "fix it for me" mode? Continuous watching?)

Top comments (0)