How do I ignore a false positive?

Create a .sealedkeysscanignore file in your repo root and add the file path or pattern on its own line. Comments start with #.

Free & open source

Stop secrets reaching
GitHub

Q: Does it slow down my commits?

No. The scan adds under 200ms to every commit. It uses git diff --cached and git show to read only staged content — not the entire working tree.

A git pre-commit hook that catches AWS keys, Stripe secrets, GitHub tokens, SSH keys and more before they leave your machine. Free. Zero network calls. Adds under 200ms to every commit.

terminal

$ npm install --save-dev @sealedkeys/scan

$ npx sealedkeys-scan install

✓ pre-commit hook installed

That's it. Every commit in this repo is now checked.

What a blocked commit looks like

When a secret is found, the commit is blocked and you see exactly what matched — masked so the secret isn't exposed in your terminal history.

git commit -m "add config"

🔴 SealedKeys Scan blocked this commit

  ✗ src/config.js (line 14)
    Stripe Secret Key: sk_l••••••••3456

  ✗ deploy/keys/id_rsa — blocked extension: .pem

2 issues found. Remove secrets before committing.

  Store secrets securely: https://sealedkeys.com
  False positive? Add the path to .sealedkeysscanignore

18 patterns — everything that matters

Covers the secrets that actually get committed — the ones that have caused real incidents.

AWS Access KeyAKIA••••••••MPLE

AWS Secret Keyaws_secret_access_key = ••••••

Stripe Secret Keysk_live_••••••••3456

Stripe Restricted Keyrk_live_••••••••3456

GitHub Token (PAT)ghp_••••••••6789

GitHub OAuth Tokengho_••••••••6789

GitHub Actions Tokenghs_••••••••6789

GitHub Fine-Grained Tokengithub_pat_••••••••

SSH Private Key-----BEGIN RSA PRIVATE KEY-----

Google API KeyAIza••••••••••••

Slack Webhookhooks.slack.com/services/T••••

Slack API Tokenxoxb-••••••••

Twilio API KeySK••••••••••••••

SendGrid API KeySG.••••••••••••

Database URL with passwordpostgres://user:••••@host

Generic secret assignmentapi_key = "••••••••"

.pem / .key filesblocked by file extension

.env filesblocked by filename

Zero false positives on safe patterns

The most common complaint with secret scanners is noise. Scan automatically allowlists patterns that are safe by design — no configuration required.

✓process.env.API_KEYNode.js env

✓os.environ.get('SECRET')Python env

✓getenv('TOKEN')PHP / C env

✓${API_KEY}Template literal

✓your-api-key-herePlaceholder

✓example.com in DB URLsExample host

✓localhost in DB URLsLocal dev

How it works

Runs as a git hook — before every git commit. Checks exactly what's being committed, not your working directory.

Gets staged files

Runs git diff --cached --name-only to find exactly what you're committing — not your working directory.

Reads staged content

Uses git show :filename to read each file at its staged revision. You can't sneak in a last-minute edit.

Runs 18 patterns

Each line is checked against 18 regex patterns. Safe values — process.env, template literals, placeholders — are allowlisted.

Blocks or passes

If anything matches, the commit is blocked with a clear error showing the file, line, and masked secret. Exit 0 if clean.

Under 200ms per commit Zero network calls No runtime dependencies

Ignore false positives

If a file legitimately contains something that matches — test fixtures, mock credentials, documentation — add it to .sealedkeysscanignore in your repo root.

.sealedkeysscanignore

# One path or pattern per line
tests/fixtures/
mocks/fake-credentials.js
docs/examples/

Commands

shell

$ npx sealedkeys-scan install # Install pre-commit hook

$ npx sealedkeys-scan uninstall # Remove the hook

$ npx sealedkeys-scan check # Run manually on staged files

$ npx sealedkeys-scan --help

Common questions

Does it send my code anywhere?+

No. Scan makes zero network calls. It reads staged files locally using git show and runs regex patterns in-process. Nothing leaves your machine.

Will it flag process.env.API_KEY?+

No. process.env references, os.environ.get(), template literals and placeholder strings like your-api-key are automatically allowlisted. You won't get noise on environment variable lookups.

Does it slow down my commits?+

Under 200ms. It only reads staged content — not your entire working directory. On most repos the scan is imperceptible.

What if it blocks something it shouldn't?+

Add the file path or pattern to .sealedkeysscanignore in your repo root. One line per entry, # for comments.

Does it work in monorepos?+

Yes. The hook runs from the repo root, scans only staged files, and respects .sealedkeysscanignore patterns relative to the root.

Scan tells you when a secret is in the wrong place.

SealedKeys gives your team somewhere safe to put it instead — a zero-knowledge vault for passwords, API keys and SSH keys.

Create free account View pricing →

Scan is free and open source. SealedKeys vault — free for up to 25 items, no credit card.

Stop secrets reachingGitHub