A web application that scans websites for potential API keys, secrets, and sensitive information leaks. This tool helps developers and security professionals identify and fix security vulnerabilities in their web applications.
Detection Capability: Comprehensive secret scanning with detection patterns dynamically loaded from GitLeaks and enhanced with custom patterns for runtime web scanning.
Pattern Sources: Detection patterns dynamically imported from GitLeaks and enhanced with custom patterns inspired by Keyleaksecret, all optimized for runtime web scanning.
- Comprehensive Pattern Detection - Dynamic pattern loading from GitLeaks combined with custom patterns
- Scans web pages for common secret patterns (API keys, passwords, tokens, etc.)
- Checks response headers for sensitive information
- Validates security headers
- User-friendly web interface
- Real-time scanning results
- Categorizes findings by severity
- Pattern caching with 24-hour refresh interval (updates on application restart after cache expiry)
The easiest way to run KeyLeak Detector is using Docker. This method includes all dependencies and browser automation components pre-configured.
Quick Start:
# Clone the repository
git clone https://github.com/Amal-David/keyleak-detector.git
cd keyleak-detector
# Start with Docker Compose
docker compose up -d
# View logs
docker compose logs -f
# Stop the container
docker compose downThe application will be available at http://localhost:5002
Requirements:
- Docker 20.10+
- Docker Compose 2.0+
- 2GB RAM minimum
- 1GB disk space (image size: ~690MB)
Common Docker Commands:
# Check container status
docker compose ps
# Restart container
docker compose restart
# Rebuild after code changes
docker compose up -d --build
# View real-time logs
docker compose logs -f keyleak-detectorFor detailed Docker instructions, deployment options, and troubleshooting, see DOCKER.md
-
Clone this repository:
git clone https://github.com/Amal-David/keyleak-detector.git cd keyleak-detector -
Install Poetry (if not installed):
curl -sSL https://install.python-poetry.org | python3 - # Ensure Poetry is on PATH (restart shell or eval as needed)
-
Install dependencies with Poetry:
poetry install
-
Install Playwright browsers (required for scanning):
poetry run playwright install chromium # Linux only: poetry run playwright install-deps chromium
- Using UV without managing a venv manually:
# Install dependencies from requirements.txt into a UV-managed environment uv pip install -r requirements.txt # Install Playwright browsers uv run playwright install chromium # Linux only: uv run playwright install-deps chromium
If you're running with Docker, the application starts automatically:
docker compose up -dThen open your web browser and navigate to http://localhost:5002
-
Start the application (choose one):
# Poetry poetry run python app.py # UV (alternative) uv run python app.py
-
Open your web browser and navigate to:
http://localhost:5002Note: The app runs on port 5002 instead of 5000 as port 5000 is commonly used by AirPlay on macOS.
- Enter the URL you want to scan in the input field
- Click "Scan Now"
- Wait for the scan to complete (typically 30-60 seconds)
- View the results, which will show any potential security issues found organized by severity
The application uses a combination of browser automation and network traffic analysis to find secrets:
- Browser Automation: Uses Playwright to load the target website in a headless browser
- Network Monitoring: Intercepts HTTP requests and responses using mitmproxy
- Content Analysis: Analyzes JavaScript, HTML, headers, and dynamic content
- Pattern Matching: Uses regex patterns to detect various types of secrets
- Smart Filtering: Filters false positives using context-aware analysis
- Categorization: Groups findings by severity (Critical, High, Medium, Low)
The scanner detects a wide range of sensitive information including:
Cloud Provider Credentials:
- AWS Access Keys & Secret Keys
- Google API Keys & OAuth Tokens
- Google Cloud Service Account Keys
- Google Vertex AI API Keys
- Firebase API Keys
- Heroku API Keys
Service Credentials:
- Stripe API Keys
- Slack Tokens
- GitHub Tokens & OAuth
- GitLab Tokens
- Mailgun, Mailchimp, Twilio API Keys
- npm Tokens
LLM/AI Inference Provider Keys:
- OpenAI API Keys (GPT-4, ChatGPT, etc.)
- Anthropic API Keys (Claude)
- Google Gemini & Vertex AI API Keys
- Hugging Face Tokens
- Cohere API Keys
- OpenRouter API Keys
- Replicate API Keys
- Together AI API Keys
- Perplexity AI API Keys
- Mistral AI API Keys
- AI21 Labs API Keys
- Anyscale API Keys
- DeepInfra API Keys
- Groq API Keys
- Fireworks AI API Keys
Database Credentials:
- MongoDB, PostgreSQL, MySQL, Redis connection strings
- SQL Server connection strings
Authentication:
- JWT Tokens
- Bearer Tokens
- OAuth Tokens
- Session Tokens
- Basic Auth credentials
- API Keys
Sensitive Data:
- Private SSH Keys
- Credit Card Numbers
- Social Security Numbers
- Email Addresses
- Phone Numbers
Other:
- Webhook URLs
- Callback URLs
- Hardcoded passwords
- Encrypted credentials in JavaScript
When the scanner detects potential secrets, it provides:
- Severity classification (Critical, High, Medium, Low)
- Context information showing where the secret was found
- Actionable recommendations for remediation
- Best practices for secure credential management
FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY
This tool is provided for educational purposes and authorized security testing only. By using this software, you agree to the following:
- You may ONLY scan websites and applications that you own or have explicit written permission to test
- Unauthorized scanning of third-party websites may be illegal in your jurisdiction
- The authors and contributors are NOT responsible for any misuse or damage caused by this tool
- Users are solely responsible for ensuring compliance with all applicable laws and regulations
- This tool is provided "AS IS" without warranty of any kind, express or implied
- The authors assume NO liability for any consequences resulting from the use or misuse of this software
By using KeyLeak Detector, you acknowledge that you have read, understood, and agreed to these terms. If you do not agree, do not use this tool.
- DO scan your own websites and applications
- DO scan websites where you have explicit written authorization
- DO use for security research with proper permissions
- DO use for educational purposes in controlled environments
- DON'T scan websites without explicit permission
- DON'T use for malicious purposes
- DON'T share or exploit found credentials
- Always obtain written permission before scanning any system
- Handle scan results securely and responsibly
- If you find valid credentials, rotate them immediately
- Report findings through responsible disclosure programs
- Be cautious when scanning production environments
- Understand and comply with applicable laws in your jurisdiction
THE AUTHORS AND CONTRIBUTORS OF THIS SOFTWARE DISCLAIM ALL LIABILITY FOR ANY MISUSE, DAMAGES, OR LEGAL CONSEQUENCES ARISING FROM THE USE OF THIS TOOL. USERS ASSUME FULL RESPONSIBILITY FOR THEIR ACTIONS.
This project uses detection patterns from:
- GitLeaks - Industry-standard SAST tool. We dynamically import their pattern database for enhanced detection.
- Keyleaksecret - Additional pattern inspiration.
Thanks to these projects for their contributions, which helped us integrate better detection patterns and make our solution more comprehensive.
Contributions are welcome! Please feel free to:
- Fork the repository: https://github.com/Amal-David/keyleak-detector
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Found a bug or have a feature request? Please open an issue on GitHub: https://github.com/Amal-David/keyleak-detector/issues
This project is licensed under the MIT License - see the LICENSE file for details.
Created and maintained by Amal David