Preview · SecretSweep is in private build · not accepting customers · launching Q2 2026

Your deleted commits still have secrets in them.

SecretSweep scans your entire git history for API keys, passwords, and tokens. 130+ detection rules. Matches on supported providers (AWS, GitHub, Stripe, OpenAI, Slack, SendGrid, npm) are verified against the real provider API, so you know whether those leaked keys are still live or already revoked. The ones you thought you removed are still there.

Scan my repos Free for 2 repos · no card
SecretSweep dashboard with open findings
app.secretsweep.com/dashboard scanned · open findings · verified status

Tested on OWASP WrongSecrets, an intentionally vulnerable project used with permission for security tool testing.

130+ detection rules, covering every provider you actually use.

Built on gitleaks (MIT) with a verification dispatcher that tests matches against the real provider API for seven supported providers. If a supported match returns ACTIVE, the rotation runbook opens immediately. Unsupported matches are flagged for manual review.

AWSaws
GitHubgithub
Stripestripe
OpenAIopenai
Anthropicanthropic
Slackslack
Google Cloudgcp
Azureazure
Cloudflarecloudflare
npmnpm
Postgrespostgres
MongoDBmongodb
Redisredis
Twiliotwilio
SendGridsendgrid
Mailgunmailgun
DigitalOceandigitalocean
Oktaokta
Algoliaalgolia
GitLabgitlab
Bitbucketbitbucket
HashiCorp Vaultvault
Pineconepinecone
Supabasesupabase
AWSaws
GitHubgithub
Stripestripe
OpenAIopenai
Anthropicanthropic
Slackslack
Google Cloudgcp
Azureazure
Cloudflarecloudflare
npmnpm
Postgrespostgres
MongoDBmongodb
Redisredis
Twiliotwilio
SendGridsendgrid
Mailgunmailgun
DigitalOceandigitalocean
Oktaokta
Algoliaalgolia
GitLabgitlab
Bitbucketbitbucket
HashiCorp Vaultvault
Pineconepinecone
Supabasesupabase
130+
Gitleaks detection rules, including AWS, GitHub, Stripe, GCP, Azure, and everything above.
7
providers with ACTIVE / REVOKED verification via their real API, not just regex.
60+
services with step-by-step rotation runbooks attached to each finding.

Rule source: gitleaks/gitleaks.toml. Secret verification is a Pro feature.

A match is only half the work. The other half is knowing it still works.

Every match runs through the real provider API. You get ACTIVE, REVOKED, or a specific reason the check didn't complete. Active keys stay under monthly re-verification with 30, 60, and 90-day escalations, so nothing rots in a backlog.

Findings land in the dashboard with severity, source, rotation guidance, and a one-click "Resolve / Ignore / False Positive / Allowlist" flow for every one.

From a live scan of OWASP WrongSecrets.

app.secretsweep.com/dashboard
Live scan log detecting secrets in a repository

Six minutes from commit to a compromised account.

Illustrative scenario. Timing is reconstructed from Palo Alto Networks' EleKtra-Leak campaign research, which observed attackers harvesting AWS keys from public GitHub within five minutes of commit. Actual compute charges depend on instance type, duration, and region. Individual outcomes vary.

T = 0
You push a commit with an AWS key in terraform/main.tfvars.
It's now public on github.com and indexed by the GitHub search API.
60 seconds later
Bots scrape the key from GitHub search.
Multiple scrapers poll the public search API on short intervals. A key tagged AKIA... is found within the first minute.
4 minutes in
The key is tested against AWS STS GetCallerIdentity.
It returns a 200. The attacker now knows your account number and that the credential is live.
6 minutes in
The attacker begins spinning up compute in high-cost regions.
Cryptomining or other workloads run on your account's billing.
Hours later
AWS's abuse team typically pauses the account once usage spikes.
By then, the account has been charged for unauthorized compute. Real-world bills reported in the incident stories below range from tens of thousands of dollars upward.
SecretSweep catches this at T = 0.

Pre-commit hook blocks the push before it leaves your machine, or webhook picks it up within 60 seconds of a push that slipped through. The rotation runbook opens with the finding, with step-by-step revocation steps for 60+ services.

Five minutes to stolen keys. Hours to a five-figure bill.

Three publicly reported incidents. Different companies, different credentials, same mechanism: a key committed to a repo, harvested within minutes, run up until someone noticed. Dollar figures are as reported in each linked source and reflect individual cases, not guaranteed outcomes.

$89,000

Overnight AWS bill. A developer pushed API keys to a public GitHub repo. Bots picked them up within minutes. By morning, the account had been used to spin up GPU instances for crypto mining, as reported in the source account linked below.

Let's Code Future (2026) →
5 min

EleKtra-Leak campaign. That's how fast attackers harvest exposed AWS keys from GitHub. 474 crypto miners deployed in a single five-week window.

The Register (2023) →
$64,000

DXC Technology. A contractor's AWS keys were pushed to a public repo. Attackers spun up instances and ran up the bill before anyone noticed.

The Register (2017) →

Individual incidents reported in public sources. Outcomes vary by organization, detection speed, and credential scope. Background on overall trends: GitGuardian State of Secrets Sprawl 2024 reports 12.8 million secrets leaked to public GitHub in 2023, with over 90% still active five days later.

Flat pricing. $9 a month for the whole team.

What every other scanner costs for a 5-person team, at published rates:

Tool5-person teamPricing model
GitHub Secret Protection$95 / mo$19 × active committer
Semgrep SecretsContact salesbundled in paid plans, per-contributor
GitGuardian BusinessContact salesper-developer, quoted
Aikido SecurityContact salesper-developer, quoted
SecretSweep Pro$9 / moflat, 1 user or 50

Competitor pricing reflects publicly published plans at the time of writing. Vendors update their pricing regularly; verify current prices on each vendor's own website before relying on them for purchasing decisions.

Three tiers. None priced per seat.

The free tier is the trial. No credit card, no time limit. When you outgrow 2 repos, Pro is $9 a month for everyone on your team.

Free
For trying it out on a couple of repos, or for solo devs who just want the basics.
$0forever
no card required
  • 2 repositories
  • 25 scans per month
  • Full git history, every branch
  • 60+ rotation runbooks
  • On-demand scanning
Start free
Pro
For a team of any size that wants auto-scanning, live verification, and monthly re-checks on active keys.
$9/ month
flat, whether you are 1 dev or 50
  • 50 repositories, GitLab + Bitbucket
  • Live secret verification (ACTIVE / REVOKED)
  • Monthly re-verification with 30/60/90 day escalation
  • Auto-scan on every push
  • Pre-commit CLI and CSV/JSON export
  • Finding resolution workflow (Resolve, Ignore, False Positive, Reopen) with audit trail
  • Custom ignore rules and allowlist
Get started
Power
For teams with compliance work, CI/CD pipelines leaking secrets in build logs, or many repos to keep under scheduled scan.
$19/ month
also flat, regardless of team size
  • Unlimited repositories
  • CI/CD log scanning (GitHub Actions)
  • Scheduled scans (daily or weekly)
  • MTTR, SLA compliance, remediation rate
  • Resolution velocity dashboards
  • Everything in Pro
Get started
Cancel any time from /billing, one click, no email to sales. Invoices auto-email. Tax receipts on request. Cancel anytime, paid period stays active until it ends.

Federal supply chain requirements now expect automated secrets scanning.

If you ship software to the government, or work with organizations that do, demonstrating secrets management practices can be part of your security review. Power produces scan histories and audit trails that can support your internal compliance work.

Executive Order 14028

Directed NIST to develop secure software development guidance, which became NIST SP 800-218. OMB Memorandum M-22-18 then required federal agencies to obtain vendor self-attestations that practices align with that guidance.

NIST SP 800-218 (SSDF)

Describes secure development practices including automated vulnerability detection, which secrets scanning supports. Federal agencies reference SSDF in procurement.

CMMC 2.0

Requires defense contractors to protect Controlled Unclassified Information. A leaked AWS key in a repo with CUI access is a finding.

SOC 2 CC6.1

Requires logical access security over protected information assets, including credential management. Automated scanning provides concrete evidence for auditors evaluating your controls.

SecretSweep is a scanning tool, not a compliance authority. References to EO 14028, NIST SP 800-218, CMMC, and SOC 2 describe publicly available regulatory requirements and do not imply endorsement by or affiliation with any government agency. Organizations should consult qualified auditors and legal counsel for formal compliance assessments.

Questions, answered.

Why not just use Gitleaks directly?
You can. Gitleaks is MIT, excellent, and powers the detection here. What SecretSweep adds: a dashboard across repos, webhook-triggered auto-scans, live provider verification, a rotation runbook per finding, and monthly re-checks of active keys.
How is this different from GitHub Secret Protection?
GitHub Secret Protection is priced per active committer per month. A 5-person team typically pays around $95/mo at published rates. SecretSweep Pro is $9/mo flat, works with any GitHub plan, and includes GitLab + Bitbucket.
Is my source code stored?
No. Your repo is cloned to an isolated temp directory, scanned, and immediately deleted. Code never persists after the scan. See /security.
How does this compare to TruffleHog?
TruffleHog is an excellent open-source scanner with 800+ secret types supported. SecretSweep uses Gitleaks (130+ rules, MIT) and layers on the managed service: one-click GitHub setup, persistent dashboard, auto-scan on push, email alerts, and verification.
Does it work with private repos?
Yes. GitHub users pick exactly which repos to grant the App access to. Pro and Power can also connect private GitLab and Bitbucket repos via OAuth. Private repos are supported across all three platforms.
What is CI/CD log scanning?
Secrets often leak through build logs, not just source code. Power scans GitHub Actions workflow run logs for leaked credentials after every build completes, so CI/CD exposure is caught alongside repo exposure.
What happens after a secret is found?
For supported providers (AWS, GitHub, Stripe, OpenAI, Slack, SendGrid, npm), SecretSweep tests the secret against the real provider API to determine if it is still active. Active credentials are re-checked monthly with escalating alerts at 30/60/90 days. Nothing rots in a backlog.
Can I use this for SOC 2 / compliance?
Power ($19/mo) produces scan history, audit trail, and remediation tracking that support SOC 2, ISO 27001, PCI DSS, and NIST 800-53 evidence gathering. SecretSweep is a scanning tool, not a compliance authority. Consult your auditor.

Run one scan. See what your git history is still carrying.

$secretsweep scan ~/code/myrepo
Or sign in with GitHub and skip the CLI entirely.
Scan my repos Read /security

Free for 2 repos, no card. If the free tier catches one live key, it paid for itself at whatever your hourly rate is.