Introducing SecureLint: Real-Time API Key & Secret Detection for Developers

VAPTlabs — Wed, 06 May 2026 14:14:11 +0000

Every developer has done it. You paste an AWS key into a Jira ticket, a GitHub issue, or a Notion doc — and five seconds later you realize what you just did.

By then, someone's already scanning public repositories, tickets, and Slack exports for exactly that pattern.

I built SecureLint to make that mistake impossible.

What is SecureLint?
SecureLint is a Chrome extension that watches every text field you type into — GitHub Issues, Jira, Notion, ChatGPT, Gmail, VS Code Web, your internal tools — and instantly detects and masks sensitive data before it can be seen.

It runs 100% locally in your browser. Nothing you type is ever sent to any server (for Free and Pro users). Zero telemetry. Zero page content collection.

The Real-World Problem
Consider these scenarios every developer faces weekly:

Pasting a database URL into a Slack message to ask for help debugging
Writing a blog post with a "placeholder" key that turns out to be real
Copying an .env file content into a GitHub issue
Typing an OpenAI API key into a ChatGPT prompt to ask about the API
Tools like GitGuardian and truffleHog catch keys after they hit your git history. SecureLint catches them as you type them, before they ever leave your keyboard.

How It Works
SecureLint injects a lightweight content script that monitors:

Standard and fields
contenteditable elements (Notion, Confluence, Linear, etc.)
Rich text editors: CodeMirror, Monaco, Ace, TinyMCE, CKEditor
Webmail compose windows (Gmail, Outlook, Yahoo Mail)
The moment it detects a secret pattern, it:

Masks it visually → AKIA*XXXX or sk-* depending on your masking mode
Shows a severity badge on the editor overlay
Fires a notification (optional, can be disabled from Settings)
All of this happens in under 50ms, using pure regex pattern matching — no network calls, no ML model loading.

100+ Detection Patterns
SecureLint knows what secrets look like across the entire ecosystem:

Category Examples
🔴 Critical
AWS access keys, GCP service accounts, RSA/EC private keys, PGP keys
🟠 High
Passwords, OAuth tokens, JWT secrets, database URLs (MongoDB, Redis, Postgres)
🟡 Medium
Email addresses, SSNs, Aadhaar numbers, credit card patterns, phone numbers
🔵 Low
Generic tokens, test credentials, low-entropy identifiers
Platforms covered include: AWS, GCP, Azure, GitHub, GitLab, Stripe, Twilio, SendGrid, Slack, OpenAI, HuggingFace, Cloudflare, Vercel, and 80+ more.

Context-Aware Masking Modes
Not all masking is equal. SecureLint has four modes:

Smart (default) — partial masking (sk-1234*5678) so you can still debug
Full — complete redaction (API_KEY***) for content writing and docs
Compliance-Safe — formats masking to match GDPR/PCI-DSS audit log requirements
Context-Aware — auto-detects dev vs content writing mode based on URL and element type
You pick the mode once in Settings. It applies everywhere.

Editor Overlay
Every editor you interact with gets a small icon in the bottom-right corner showing:

Live count of detected secrets, colour-coded by severity
Hover to see exactly what was detected and the risk level
Non-intrusive — disappears when you leave the field
No popups mid-typing. No interruptions. Just a silent safety net.

Webmail DLP (Gmail, Outlook, Yahoo)
SecureLint adds a Data Loss Prevention layer for your email:

Detects secrets in your compose window before you hit Send
Shows a warning banner if sensitive content is detected
For Enterprise users: checks whether the recipient is outside your organisation domain
All checks are local — the email body is never transmitted anywhere.

Privacy First (By Design)
For Free and Pro users:

All detection and masking is 100% local JavaScript in your browser
No page content, secrets, or typed text is ever sent anywhere
Only your extension preferences are synced if you create an optional account
For Enterprise users:

Masked incident reports (AKIA****XXXX) are sent to your org's admin dashboard only when your IT admin explicitly enables this feature
Raw secret values are never transmitted — only masked previews
The feature is OFF by default and shows a visible banner when active
Full details: securelint.in/privacy

Enterprise Features
If you're an IT or security admin managing a team:

Centralised incident reporting — see which employees are pasting credentials where
Secret type + severity + masked preview + site URL all in one dashboard
Trigger rotation alerts before a leaked key causes damage
Meets DLP and compliance requirements (SOC 2, ISO 27001 workflows)
Deploy via Chrome policy for the whole org — no manual install per device
Permissions — Fully Explained
SecureLint requests only what it needs, and nothing more:

Permission Why
Access to all websites
Secrets can appear on any site — GitHub, Jira, Notion, ChatGPT, your internal tools
Storage
Saves your settings locally
Notifications
Optional alert when a Critical secret is detected (can be disabled)
Tabs
Pushes setting changes to open tabs without requiring a page reload
Downloads
Only used when you export an audit log report
Context menus
Adds "Scan page" and "Mask selected text" right-click options
No programmatic script injection. All scripts load from the manifest as standard content scripts.

Install It Free
→ Add SecureLint to Chrome (Free)

Free plan includes:

Full secret detection across all sites
Auto-masking in textareas, editors, and inputs
Overlay UI with severity breakdown
All 100+ detection patterns
Pro and Enterprise plans unlock advanced masking modes, analytics dashboard, and centralised reporting.

What's Next
Browser extension for Firefox (in progress)
VS Code extension (coming soon)
Slack bot integration for team alerts
SOC 2 compliance report exports
If you've ever had that sinking feeling after accidentally pasting a secret somewhere public — this extension exists so you never feel that again.

Install SecureLint →

Built by VAPTLabs · contact@vaptlabs.com

DEV Community: VAPTlabs

Introducing SecureLint: Real-Time API Key & Secret Detection for Developers