DevOpsil

Secrets Leak Detection API

Secrets Leak Detection scans any text payload — code, config files, logs, PR diffs, environment dumps — and returns every exposed credential it finds, along with the secret type, severity, and a redacted preview.

Quick start →View DocsPOST https://devopsil.com/api/v1/secrets/scan

What is it?

Secrets Leak Detection scans any text payload — code, config files, logs, PR diffs, environment dumps — and returns every exposed credential it finds, along with the secret type, severity, and a redacted preview. It accepts a single JSON payload and returns a structured response in milliseconds — no agents, plugins, or background workers required. The API is designed for synchronous, real-time use: call it inline in your request handler, CI step, or event pipeline and act on the result immediately.

Why do you need it?

Problem

  • Developers accidentally commit API keys, tokens, and passwords to git — often in .env files, config templates, or copy-pasted test data.
  • Secrets end up in log aggregators when request bodies or error messages are logged without sanitization.
  • CI/CD pipelines expose secrets in build artifacts, Docker layers, and environment variable dumps that are archived for months.

Consequence

  • An exposed AWS key can incur $50,000+ in unauthorized compute charges before the breach is detected — attacker spins up GPU mining farms within minutes of finding the key.
  • A leaked database connection string gives an attacker direct read/write access — a single exposed production DB credential can result in a full data breach requiring breach notification to every affected user.
  • A stolen Stripe secret key allows an attacker to initiate payouts to their own account — funds transferred are rarely recoverable.

Solution

  • Pre-commit and CI/CD scanning catches secrets before they ever reach a remote repository or build log.
  • 500+ secret patterns covering every major cloud provider, payment processor, source control platform, and communication service.
  • Structured JSON response with type, severity, line number, and redacted preview — actionable in any automation pipeline.

Use cases

Pre-commit hook secret scanning

Run a scan on every git diff before the commit is created. Block the commit if any CRITICAL or HIGH severity secrets are found.

Node.js — pre-commit hook

const API_KEY = process.env.DEVOPSIL_API_KEY;
const { execSync } = require('child_process');

const diff = execSync('git diff --cached').toString();

const result = await fetch('https://devopsil.com/api/v1/secrets/scan', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ content: diff, context: 'git-diff' }),
}).then(r => r.json());

If result.findings.some(f => ['CRITICAL','HIGH'].includes(f.severity)), print the findings and process.exit(1) to block the commit.

CI/CD pipeline gate

Scan the entire repository or build output at the start of every CI run. Fail the pipeline if secrets are found so they never reach staging or production.

Node.js — CI scan step

const API_KEY = process.env.DEVOPSIL_API_KEY;
const fs = require('fs');

// Scan all staged files as one payload
const content = fs.readFileSync('build-output.txt', 'utf8');

const result = await fetch('https://devopsil.com/api/v1/secrets/scan', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ content, context: 'ci-build' }),
}).then(r => r.json());

if (result.findings.length > 0) process.exit(1);

result.findings has type, severity, line_number, and redacted_value for each secret. Print them as CI annotations.

Incoming payload scanning

Scan user-submitted content (support tickets, form submissions, API request bodies) before storing it, to prevent accidental secret ingestion.

Node.js — scan before storing

const API_KEY = process.env.DEVOPSIL_API_KEY;

async function scanBeforeStore(userContent: string) {
  const result = await fetch('https://devopsil.com/api/v1/secrets/scan', {
    method: 'POST',
    headers: {
      Authorization: `Bearer ${API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({ content: userContent }),
  }).then(r => r.json());

  return result;
}

If findings exist, warn the user before storing, or strip/redact the secrets using result.findings[].redacted_value positions.

Log pipeline secret filtering

Scan log lines before indexing in Elasticsearch or Datadog. Route lines with secrets to a quarantine index instead of the main log stream.

Node.js — log pipeline filter

const API_KEY = process.env.DEVOPSIL_API_KEY;

async function filterLogBatch(lines: string[]) {
  const result = await fetch('https://devopsil.com/api/v1/secrets/scan', {
    method: 'POST',
    headers: {
      Authorization: `Bearer ${API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({ content: lines.join('\n'), context: 'log-stream' }),
  }).then(r => r.json());

  return result.findings.map(f => f.line_number);
}

Collect quarantined line numbers. Index clean lines to main; route flagged lines to a restricted quarantine index for review.

PR review automation

Scan PR diffs as part of your GitHub Actions workflow and post inline review comments on any line containing a secret.

Node.js — GitHub Actions PR scan

const API_KEY = process.env.DEVOPSIL_API_KEY;

const prDiff = await fetchPrDiff(prNumber); // your GitHub API call

const result = await fetch('https://devopsil.com/api/v1/secrets/scan', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ content: prDiff, context: 'pr-diff' }),
}).then(r => r.json());

for (const finding of result.findings) {
  await postReviewComment(prNumber, finding.line_number, finding.type);
}

Post a blocking PR review comment per finding. Block merge until secrets are removed and re-scan passes.

Secret health dashboard

Schedule daily scans of your configuration repositories and surface a rolling count of secrets found per repo per week for security reporting.

Node.js — scheduled repo scan

const API_KEY = process.env.DEVOPSIL_API_KEY;

const repoContent = await cloneAndReadRepo('acme/config-repo');

const result = await fetch('https://devopsil.com/api/v1/secrets/scan', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ content: repoContent, context: 'repo-audit' }),
}).then(r => r.json());

await db.insert('scan_results', { repo: 'config-repo', findings: result.findings, ts: new Date() });

Aggregate result.findings by severity over time. Display trending charts in your security dashboard to show reduction progress.

Detected secret types

CategoryExamplesSeverity
Cloud provider keysAWS_ACCESS_KEY, GCP service account JSON, Azure SAS tokenCRITICAL
Source control tokensGitHub PAT, GitLab token, Bitbucket app passwordHIGH
Payment processor keysStripe secret key, PayPal client secret, Braintree tokenCRITICAL
Database connection stringspostgres://, mongodb+srv://, redis://CRITICAL
Communication service keysTwilio auth token, SendGrid API key, Mailgun keyHIGH
OAuth client secretsGoogle OAuth secret, GitHub OAuth app secretHIGH
Private keys / certificatesRSA private key, PEM cert, JWT signing secretCRITICAL
Generic high-entropy stringsBase64 blobs > 40 chars matching entropy thresholdMEDIUM

How the API works

All requests use Bearer authentication. Your API key starts with sec_. Get one at /dashboard/api-keys.

Request

{
  "content": "export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE\nexport AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\nconst stripeKey = 'sk_live_4eC39HqLyjWDarjtT1zdp7dc';",
  "context": "git-diff"
}

Response

{
  "scan_id": "scn_8x2mp9qz",
  "findings": [
    {
      "type": "AWS_ACCESS_KEY",
      "severity": "CRITICAL",
      "line_number": 1,
      "column_start": 25,
      "redacted_value": "AKIA***EXAMPLE",
      "remediation": "Rotate this key immediately in the AWS IAM console and remove from source."
    },
    {
      "type": "AWS_SECRET_ACCESS_KEY",
      "severity": "CRITICAL",
      "line_number": 2,
      "column_start": 28,
      "redacted_value": "wJal***EKEY",
      "remediation": "Rotate this key immediately in the AWS IAM console."
    },
    {
      "type": "STRIPE_SECRET_KEY",
      "severity": "CRITICAL",
      "line_number": 3,
      "column_start": 22,
      "redacted_value": "sk_live_***dc",
      "remediation": "Revoke this key in the Stripe dashboard immediately."
    }
  ],
  "total_findings": 3,
  "scan_duration_ms": 14,
  "context": "git-diff"
}

Quick start

1

Get your API key

Create a free account and generate a key at /dashboard/api-keys. Your key starts with sec_.

2

Make your first call

Node.js

const API_KEY = process.env.DEVOPSIL_API_KEY; // starts with sec_

const result = await fetch('https://devopsil.com/api/v1/secrets/scan', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    content: 'export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE',
    context: 'test',
  }),
}).then(r => r.json());

console.log(result.findings);
3

Act on the result

Node.js — handle response

if (result.findings.length === 0) {
  console.log('Clean — no secrets found.');
} else {
  for (const f of result.findings) {
    console.error(`[${f.severity}] ${f.type} at line ${f.line_number}: ${f.remediation}`);
  }
  process.exit(1); // fail CI / block commit
}

Frequently asked questions

Ready to integrate?

Free tier included. No credit card required.