DEV Community: thunderbird The latest articles on DEV Community by thunderbird (@thund3rbird). https://dev.to/thund3rbird https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3997687%2Fa7590ab0-a5cf-48b0-850b-5669d7320497.png DEV Community: thunderbird https://dev.to/thund3rbird en I built a live secret scanner for VS Code (and why CI scanning is too late) thunderbird Mon, 22 Jun 2026 23:35:30 +0000 https://dev.to/thund3rbird/i-built-a-live-secret-scanner-for-vs-code-and-why-ci-scanning-is-too-late-46f5 https://dev.to/thund3rbird/i-built-a-live-secret-scanner-for-vs-code-and-why-ci-scanning-is-too-late-46f5 <p>We've all done it: pasted an API key into a file "just to test," then a week later<br> it's in your git history, a screenshot, or a livestream. Most secret scanners β€”<br> gitleaks, trufflehog β€” run in CI, <strong>after</strong> the secret is already committed.</p> <p>So I built <strong>Secret Guardian</strong>, a VS Code extension that catches secrets <em>live, in<br> the editor</em>, the moment they appear β€” and visually <strong>masks</strong> them so they never show<br> up in screenshots or screen-shares.</p> <p>πŸ‘‰ <strong><a href="https://marketplace.visualstudio.com/items?itemName=thund3rbird.secret-guardian" rel="noopener noreferrer">Secret Guardian on the VS Code Marketplace</a></strong> (free)</p> <h3> What it does </h3> <ul> <li>Detects 17+ secret types as you type: AWS, GitHub, GitLab, Google, Slack, Stripe, OpenAI, SendGrid, Twilio, npm tokens, private keys, JWTs, credentials in URLs.</li> <li>A generic <strong>high-entropy</strong> rule catches the long-tail.</li> <li>Masks detected secrets with a lock overlay β€” safe for demos.</li> <li>Flags everything in the Problems panel + a one-click workspace scan.</li> <li>100% local. Nothing leaves your machine.</li> </ul> <h3> How detection works </h3> <p>Two layers: tight <strong>regexes</strong> for known formats (e.g. <code>AKIA…</code>, <code>ghp_…</code>), and an<br> <strong>entropy + context</strong> check for unknown secrets (high Shannon entropy assigned to a<br> secret-like name), with placeholders like <code>your_api_key</code> filtered out.</p> <h3> Try it </h3> <p>Install from the <strong><a href="https://marketplace.visualstudio.com/items?itemName=thund3rbird.secret-guardian" rel="noopener noreferrer">Marketplace</a></strong>,<br> open a file, paste a fake key. I'd love feedback on accuracy and false positives.</p> security showdev tooling vscode