The latest articles on DEV Community by BLIQ_kr (@bliq_kr). https://dev.to/bliq_kr https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3989482%2Ff0d52cc9-b538-4e2d-b17e-ca201b707e23.png https://dev.to/bliq_kr en BLIQ_kr Wed, 17 Jun 2026 16:56:39 +0000 https://dev.to/bliq_kr/the-api-keys-you-almost-shipped-to-prod-and-the-free-scanner-i-built-to-catch-them-4737 https://dev.to/bliq_kr/the-api-keys-you-almost-shipped-to-prod-and-the-free-scanner-i-built-to-catch-them-4737 <p>I'm a solo maker shipping small apps, often with AI writing most of the code. The thing that kept me up at night: right before launch it's <em>really</em> easy to leave a live API key or an obvious vulnerability sitting in the codebase — especially when you didn't hand-write every line and you're moving fast.</p> <p>So I built a small tool to catch that before it goes public. It's called <strong>presec</strong>.</p> <h2> What it does </h2> <p>You paste your code (or drop a zip), and it runs two passes on the server:</p> <ol> <li> <strong>Regex rules</strong> scan for exposed secrets — AWS, Stripe <code>sk_live_</code>, OpenAI / Anthropic keys, Google, GitHub tokens, private keys, hardcoded passwords, committed <code>.env</code> files, etc. Public-intent keys like Stripe <code>pk_</code> or a Supabase <code>anon</code> JWT get classified as <em>false positives</em> so the tool doesn't cry wolf.</li> <li> <strong>Selected snippets</strong> go to an LLM to flag critical vulnerabilities and return the <strong>top 3 prioritized fixes</strong> with code.</li> </ol> <p>You get one report: risk summary → exposed secrets (masked) → critical vulns → top 3 fixes. ~1 minute, free, no login.</p> <blockquote> <p>It's an <strong>assistive check, not a full security audit</strong> — I'm clear about that in the tool itself. It's for catching the obvious, embarrassing stuff before strangers see it.</p> </blockquote> <h2> The leaks it keeps catching </h2> <ul> <li> <strong>Admin / service-role keys in the repo.</strong> A Supabase <code>service_role</code> key (anything that bypasses row-level security) in your code is game over — whoever has it owns your DB.</li> <li> <strong>The classic committed <code>.env</code>.</strong> It's <code>.gitignore</code>d… except that one time it wasn't.</li> <li> <strong>Hardcoded <code>password=</code> / <code>secret=</code></strong> left over from "I'll fix it later."</li> <li> <strong>Public vs secret confusion</strong> — people panic over a <code>pk_</code> (it's fine, it's public) while a real <code>sk_live_</code> sits two lines down.</li> </ul> <p>Funny aside: when I scanned presec's <em>own</em> repo, it flagged the example <code>-----BEGIN PRIVATE KEY-----</code> string in my README as a critical leak. So example patterns in docs are a false-positive category I still need to handle. Dogfooding works.</p> <h2> Stack </h2> <p>Next.js (App Router) + Tailwind + Supabase. The LLM call is server-side only (keys never touch the client), secrets are masked before storage, and results expire on a short TTL.</p> <h2> I'd love your take </h2> <p>I'm trying to figure out whether this is actually useful to other people or just to anxious me:</p> <ul> <li>Try it: <a href="https://presec.vercel.app" rel="noopener noreferrer">https://presec.vercel.app</a> </li> <li>30-second feedback: <a href="https://tally.so/r/44G5kY" rel="noopener noreferrer">https://tally.so/r/44G5kY</a> </li> </ul> <p>Does this solve a real pain for you? Would you pay for it (and if so, how much)? And — what's the most embarrassing thing you've <em>almost</em> shipped? 🙂</p> showdev security webdev buildinpublic