It was 11 PM on a Tuesday. I was browsing my old repos when curiosity hit me.
What if I scanned my public repos for secrets?
The Experiment
I installed a free CLI tool and pointed it at my GitHub repos:
npm i -g @wuchunjie/dotguard
dotguard --recursive ~/projects/
The results made my stomach drop.
Finding #1: AWS Access Key
A test file from 2024 had a hardcoded AWS key with S3 read access. The key was revoked months ago, but still — anyone could have found it.
Finding #2: Database Password
A config.example.js that wasn't an example at all. Real MongoDB connection string. Production credentials.
Finding #3: Stripe Test Key
Not as dangerous, but still leaked business logic and endpoint paths that shouldn't be public.
How dotguard Works
# Scan current directory
dotguard
# Scan specific path
dotguard --path ./src
# Generate report
dotguard --report json > security-report.json
It checks:
-
.envand.env.*files - Config files (JSON, YAML, TOML)
- Source code (grep for key patterns)
- Git history (committed secrets stay forever)
What I Did After
- Rotated all exposed credentials
- Set up
.gitignoreproperly - Added
dotguardto CI pipeline - Wrote a post-mortem for my team
Don't Be Like Me
Run this right now:
npx @wuchunjie/dotguard
If it finds nothing — great. If it finds something — you're welcome.
Have you ever found secrets in your repo? What happened?
Top comments (0)