We've all done it: pasted an API key into a file "just to test," then a week later
it's in your git history, a screenshot, or a livestream. Most secret scanners β
gitleaks, trufflehog β run in CI, after the secret is already committed.
So I built Secret Guardian, a VS Code extension that catches secrets live, in
the editor, the moment they appear β and visually masks them so they never show
up in screenshots or screen-shares.
π Secret Guardian on the VS Code Marketplace (free)
What it does
- Detects 17+ secret types as you type: AWS, GitHub, GitLab, Google, Slack, Stripe, OpenAI, SendGrid, Twilio, npm tokens, private keys, JWTs, credentials in URLs.
- A generic high-entropy rule catches the long-tail.
- Masks detected secrets with a lock overlay β safe for demos.
- Flags everything in the Problems panel + a one-click workspace scan.
- 100% local. Nothing leaves your machine.
How detection works
Two layers: tight regexes for known formats (e.g. AKIAβ¦, ghp_β¦), and an
entropy + context check for unknown secrets (high Shannon entropy assigned to a
secret-like name), with placeholders like your_api_key filtered out.
Try it
Install from the Marketplace,
open a file, paste a fake key. I'd love feedback on accuracy and false positives.
Top comments (0)