The latest articles on DEV Community by Shibbir Ahmed (@creativeartbd). https://dev.to/creativeartbd https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F292859%2Fe5c3e16d-1825-46ba-bb3b-fe84c21e4111.jpeg https://dev.to/creativeartbd en Shibbir Ahmed Mon, 22 Jun 2026 07:59:27 +0000 https://dev.to/creativeartbd/i-built-a-tool-that-catches-leaked-secrets-before-npm-publish-then-github-caught-mine-can https://dev.to/creativeartbd/i-built-a-tool-that-catches-leaked-secrets-before-npm-publish-then-github-caught-mine-can <p>We've all seen the horror stories: someone leaks an API key and wakes up to a $30k cloud bill, or accidentally publishes private code that's now public forever. And with AI tools making everyone ship faster than ever, it's happening more — not less.</p> <p>Here's the part that surprised me. Most security tools scan your <strong>source code</strong> or your <strong>commits</strong>. But a lot of the worst leaks happen somewhere else entirely: in the <strong>published package</strong> — the exact files npm actually sends out.</p> <p>Earlier this year, a major AI company accidentally shipped its own source code in an npm package — around 500,000 lines, exposed through a source map that slipped into the build. Their code scanners didn't catch it, because the mistake wasn't <em>in</em> the code. It was in what got <em>packaged</em>.</p> <p>That gap bugged me, so I built a tiny tool for it.</p> <h2> LeakGate </h2> <p>It runs right before you publish and checks <strong>exactly the files npm would actually send</strong> (via <code>npm pack</code>), for things you never want to go public:</p> <ul> <li>Hardcoded keys — AWS, Stripe, OpenAI, Anthropic, Google, GitHub, Slack</li> <li>Database URLs with passwords, and private key blocks</li> <li>Dangerous files — <code>.env</code>, source maps, <code>.git</code>, <code>.pem</code>/<code>.key</code>, DB dumps, <code>.npmrc</code> </li> </ul> <p>One command, no config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx leakgate </code></pre> </div> <p>Example output on a messy project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LeakGate — pre-publish safety check Checked 5 files that npm would publish. ✗ Stop — found 2 serious problems. CRITICAL Stripe live secret key in src/index.js:2 (sk_liv…fGh) → Remove it and roll the key in your Stripe dashboard. CRITICAL Environment secrets file (.env) in .env → Add the .env file to your .npmignore / .gitignore so it is never published. </code></pre> </div> <p>It exits with code 1 when it finds something, so you can wire it into <code>prepublishOnly</code> or CI to <strong>block</strong> a risky release.</p> <h2> The part that made me laugh </h2> <p>While pushing LeakGate to GitHub, <strong>GitHub's own secret scanner blocked my push</strong> — it caught the fake test secrets in my test fixtures. Two scanners doing their job, and the tool basically proved its own point before it even launched. 😅</p> <h2> Honest status </h2> <p>It's free and open source (MIT), and it's an early <strong>v0.1</strong> — npm/JavaScript only for now. Bigger tools like Snyk and GitGuardian do far more at the org level; LeakGate is deliberately the tiny, zero-setup "check before you ship" piece I wanted for myself.</p> <ul> <li>npm: <a href="https://www.npmjs.com/package/leakgate" rel="noopener noreferrer">https://www.npmjs.com/package/leakgate</a> </li> <li>Code: <a href="https://github.com/creativeartbd/leakgate" rel="noopener noreferrer">https://github.com/creativeartbd/leakgate</a> </li> </ul> <p>If you publish to npm, give it a run before your next release. And I'd genuinely love feedback: <strong>would you use this before publishing, and what should I add next?</strong> (More languages? A "fix it for me" mode? Continuous watching?)</p> javascript security showdev tooling