Preview · SecretSweep is in private build · not accepting customers · launching Q2 2026

Your deleted commits still have secrets in them.

SecretSweep scans your entire git history for API keys, passwords, and tokens. 130+ detection rules. Supported verifier checks test candidate secrets against provider APIs where verification is possible, including AWS when both key parts are present, so you know which leaked keys still need rotation. The ones you thought you removed are still there.

Scan my repos Free for 2 repos · no card

Dashboard

Power perspective
Critical
3
High
14
Total Open
47
Scan Coverage
73%
35 of 48 repos
14 new this week
11 resolved this week
3 open critical
Power triage
Repos ranked by open finding impact

Needs attention

Critical pollux-co/api-gateway private-key deploy/keys/prod_rsa 3d
Critical pollux-co/billing-service stripe-access-token .env.production 1d
Critical pollux-co/data-pipeline aws-access-token terraform/main.tf 1d
High pollux-co/data-pipeline aws-access-token ci-log/3_Build artifacts.txt 4h
High pollux-group/legacy-monorepo github-pat scripts/ci/release.sh 2d

Not scanned recently

pollux-co/landing-site 23 days ago

Finding trend

This week: 14 new , 11 resolved
Last week: 21 new, 12 resolved (-33% week over week)

Verification status

Revoked
21
Unknown
26

Top exposed files

  • .env.production 8
  • main.tf 6
    terraform/
  • release.yml 5
    .github/workflows/
  • 3_Build artifacts.txt 3
    ci-log/
  • db_seed.go 2
    internal/database/fixtures/

Recent scans

pollux-co/api-gateway Completed
Apr 28 09:42 5
pollux-co/billing-service Completed
Apr 28 06:30 9
pollux-co/data-pipeline Completed
Apr 28 03:15 7
pollux-co/api-gateway Completed
Apr 27 22:08 5
pollux-co/iam-rotator Completed
Apr 27 19:51 3
View all scans

Secret types

  • generic-api-key 15
  • aws-access-token 8
  • stripe-access-token 6
  • github-pat 5
  • slack-webhook-url 4

Metrics

  • 4h
    Avg resolution
  • 92%
    Critical SLA Resolved within 24h
  • 87%
    High SLA Resolved within 7 days
  • 38%
    Remediation rate

130+ detection rules, covering the providers your team actually uses.

Built on gitleaks (MIT) with a verification dispatcher that tests supported matches against provider APIs when enough credential material is present. HTTP verifiers currently cover GitHub, GitLab, Stripe, OpenAI, Slack tokens and incoming webhooks, SendGrid, npm, DigitalOcean, Doppler, Netlify, Heroku, Notion, Cloudflare, Discord, and Telegram; AWS verification requires an access-key ID and secret-key pair.

AWSaws
GitHubgithub
Stripestripe
OpenAIopenai
Anthropicanthropic
Slackslack
Google Cloudgcp
Azureazure
Cloudflarecloudflare
npmnpm
Postgrespostgres
MongoDBmongodb
Redisredis
Twiliotwilio
SendGridsendgrid
Mailgunmailgun
DigitalOceandigitalocean
Oktaokta
Algoliaalgolia
GitLabgitlab
Bitbucketbitbucket
HashiCorp Vaultvault
Pineconepinecone
Supabasesupabase
AWSaws
GitHubgithub
Stripestripe
OpenAIopenai
Anthropicanthropic
Slackslack
Google Cloudgcp
Azureazure
Cloudflarecloudflare
npmnpm
Postgrespostgres
MongoDBmongodb
Redisredis
Twiliotwilio
SendGridsendgrid
Mailgunmailgun
DigitalOceandigitalocean
Oktaokta
Algoliaalgolia
GitLabgitlab
Bitbucketbitbucket
HashiCorp Vaultvault
Pineconepinecone
Supabasesupabase
130+
Gitleaks detection rules, including AWS, GitHub, Stripe, GCP, Azure, and everything above.
17
supported provider checks return ACTIVE / REVOKED when the provider API can verify the candidate.
60+
services with step-by-step rotation runbooks attached to each finding.

Rule source: gitleaks/gitleaks.toml. Secret verification is a Pro feature. Provider names and logos are used only to identify compatible services and do not imply sponsorship, affiliation, or endorsement.

A match is only half the work. The other half is knowing it still works.

Supported matches run through the real provider API when the verifier has enough credential material. You get ACTIVE, REVOKED, or a specific reason the check didn't complete. Active keys stay under monthly re-verification with 30, 60, and 90-day escalations, so nothing rots in a backlog.

Findings land in the dashboard with severity, source, rotation guidance, and a one-click "Resolve / Ignore / False Positive / Allowlist" flow for every one.

Excerpt from a Power-tier scan run. Scroll inside the panel to see the full 22-finding output and verifier verdicts.

secretsweep.com/scans/281
14:23:08 Scan started
14:23:08 Repository: pollux-co/api-gateway
14:23:08 Size: 47891 KB
14:23:08 Cloning repository...
14:23:08 Requesting GitHub installation token...
14:23:09 Clone complete. Running Gitleaks (130+ rules)...
14:23:11 Scan complete. 22 findings detected.
14:23:11 [1/22] critical private-key deploy/keys/prod_rsa:1
14:23:11 [2/22] high aws-access-token .env.production:14
14:23:11 [3/22] high aws-access-token terraform/main.tf:38
14:23:11 [4/22] high github-pat .github/workflows/release.yml:62
14:23:11 [5/22] high slack-webhook-url scripts/notify.sh:7
14:23:11 [6/22] high private-key scripts/deploy/ssh_known_hosts:42
14:23:11 [7/22] medium generic-api-key config/secrets.yml:9
14:23:11 [8/22] medium generic-api-key .env.local:11
14:23:11 [9/22] medium generic-api-key docker-compose.yml:24
14:23:11 [10/22] medium generic-api-key .env.production:7
14:23:11 [11/22] medium aws-access-token internal/database/fixtures/db_seed.go:18
14:23:11 [12/22] medium stripe-access-token .env.production:21
14:23:11 [13/22] medium stripe-access-token config/billing_test.go:54
14:23:11 [14/22] medium github-pat .github/workflows/release.yml:88
14:23:11 [15/22] medium slack-webhook-url .github/workflows/release.yml:103
14:23:11 [16/22] medium generic-api-key scripts/seed_local.sh:32
14:23:11 [17/22] medium generic-api-key config/staging.yml:17
14:23:11 [18/22] medium generic-api-key config/secrets.yml:14
14:23:11 [19/22] medium generic-api-key helm/values.yaml:73
14:23:11 [20/22] medium generic-api-key scripts/migrate.sh:12
14:23:11 [21/22] medium generic-api-key Makefile:56
14:23:11 [22/22] medium generic-api-key cmd/server/init.go:21
14:23:11 Verifying detected credentials...
14:23:14 AWS REVOKED .env.production:14
14:23:14 AWS REVOKED terraform/main.tf:38
14:23:14 GitHub REVOKED .github/workflows/release.yml:62
14:23:14 GitHub REVOKED .github/workflows/release.yml:88
14:23:14 Slack REVOKED scripts/notify.sh:7
14:23:14 Slack REVOKED .github/workflows/release.yml:103
14:23:14 Stripe REVOKED .env.production:21
14:23:14 Stripe REVOKED config/billing_test.go:54
14:23:14 AWS REVOKED internal/database/fixtures/db_seed.go:18
14:23:14 Storing findings in database...
14:23:14 Done. 22 findings (9 active checks, all REVOKED) in 6244ms.
14:23:14 DONE 22 findings

Six minutes from commit to a compromised account.

Illustrative scenario. Timing is reconstructed from Palo Alto Networks' EleKtra-Leak campaign research, which observed attackers harvesting AWS keys from public GitHub within five minutes of commit. Actual compute charges depend on instance type, duration, and region. Individual outcomes vary.

T = 0
You push a commit with an AWS key in terraform/main.tfvars.
It's now public on github.com and indexed by the GitHub search API.
60 seconds later
Bots scrape the key from GitHub search.
Multiple scrapers poll the public search API on short intervals. A key tagged AKIA... is found within the first minute.
4 minutes in
The key is tested against AWS STS GetCallerIdentity.
It returns a 200. The attacker now knows your account number and that the credential is live.
6 minutes in
The attacker begins spinning up compute in high-cost regions.
Cryptomining or other workloads run on your account's billing.
Hours later
AWS's abuse team typically pauses the account once usage spikes.
By then, the account has been charged for unauthorized compute. Real-world bills reported in the incident stories below range from tens of thousands of dollars upward.
SecretSweep helps catch this before it becomes tomorrow's cleanup.

Pre-commit can block the push before it leaves your machine when installed, and server-side webhooks scan shortly after push events arrive for enabled repos. The rotation runbook opens with the finding, with step-by-step revocation steps for 60+ services.

Five minutes to stolen keys. Hours to a five-figure bill.

Three publicly reported incidents. Different companies, different credentials, same mechanism: a key committed to a repo, harvested within minutes, run up until someone noticed. Dollar figures are as reported in each linked source and reflect individual cases, not guaranteed outcomes.

$89,000

Overnight AWS bill. A developer pushed API keys to a public GitHub repo. Bots picked them up within minutes. By morning, the account had been used to spin up GPU instances for crypto mining, as reported in the source account linked below.

Medium source; access may vary
5 min

EleKtra-Leak campaign. That's how fast attackers harvest exposed AWS keys from GitHub. 474 crypto miners deployed in a single five-week window.

The Register (2023)
$64,000

DXC Technology. A contractor's AWS keys were pushed to a public repo. Attackers spun up instances and ran up the bill before anyone noticed.

The Register (2017)

Individual incidents reported in public sources. Outcomes vary by organization, detection speed, and credential scope. Background on overall trends: GitGuardian State of Secrets Sprawl 2024 reports 12.8 million secrets leaked to public GitHub in 2023, with over 90% still active five days later.

Flat pricing. Not priced per seat.

Most secrets scanners scale cost with active committers, contributors, or seats. SecretSweep's paid plans are flat by tier instead, so the bill changes when repository coverage or workflow needs change, not when headcount does.

Billing triggerProPower
Base price$9 / mo or $90 / yr$19 / mo or $190 / yr
Repository allowance50 repositoriesUnlimited repositories
What changes the billPlan tier, not contributor countAdds scheduled scans, CI/CD log scanning, custom team rules, and advanced metrics

Billing is per account today, not per contributor. Paid plans are self-serve, support monthly or annual billing, and can be canceled from the billing page.

Three tiers. None priced per seat.

The free tier is the trial. No credit card, no time limit. When you outgrow 2 repos, Pro is $9 a month for one account with up to 50 repositories, or pay annually and save.

Free
For trying it out on a couple of repos, or for solo devs who just want the basics.
$0forever
no card required
  • 2 repositories
  • 25 scans per month
  • Full git history, every branch
  • 60+ rotation runbooks
  • On-demand scanning
Start free
Pro
For one account that wants auto-scanning, live verification, and monthly re-checks on active keys.
$9/ month
$90/ year
2 months free, saves $18 a year
  • 50 repositories, GitLab + Bitbucket
  • Live secret verification (ACTIVE / REVOKED)
  • Monthly re-verification with 30/60/90 day escalation
  • Auto-scan on every push
  • CSV, JSON, and SARIF exports with GitHub Code Scanning guidance
  • Connected CLI API key and allowlist sync for the private release channel
  • Finding resolution workflow (Resolve, Ignore, False Positive, Reopen) with audit trail
  • Custom ignore rules and allowlist
Get started
Power
For accounts with compliance work, CI/CD pipeline logs to inspect, custom patterns to enforce, or many repos to keep under scheduled scan.
$19/ month
$190/ year
2 months free, saves $38 a year
  • Unlimited repositories
  • CI/CD log scanning across GitHub, GitLab, and Bitbucket pipelines
  • Custom team detection rules with preview and audit trail
  • Scheduled scans (daily or weekly)
  • MTTR, SLA compliance, remediation rate
  • Resolution velocity dashboards
  • Everything in Pro
Get started
Cancel anytime in one click. No email to sales. Invoices auto-email. Tax receipts on request. Cancel anytime, paid period stays active until it ends.

Federal supply chain requirements now expect automated secrets scanning.

If you ship software to the government, or work with organizations that do, demonstrating secrets management practices can be part of your security review. Power produces scan histories and audit trails that can support your internal compliance work.

Executive Order 14028

Directed NIST to develop secure software development guidance, which became NIST SP 800-218. OMB Memorandum M-22-18 then required federal agencies to obtain vendor self-attestations that practices align with that guidance.

NIST SP 800-218 (SSDF)

Describes secure development practices including automated vulnerability detection, which secrets scanning supports. Federal agencies reference SSDF in procurement.

CMMC 2.0

Requires defense contractors to protect Controlled Unclassified Information. A leaked AWS key in a repo with CUI access is a finding.

SOC 2 CC6.1

Requires logical access security over protected information assets, including credential management. Automated scanning provides concrete evidence for auditors evaluating your controls.

SecretSweep is a scanning tool, not a compliance authority. References to EO 14028, NIST SP 800-218, CMMC, and SOC 2 describe publicly available regulatory requirements and do not imply endorsement by or affiliation with any government agency. Organizations should consult qualified auditors and legal counsel for formal compliance assessments.

Questions, answered.

Why not just use Gitleaks directly?
You can. Gitleaks is MIT, excellent, and powers the detection here. What SecretSweep adds: a dashboard across repos, webhook-triggered auto-scans, live provider verification, a rotation runbook per finding, and monthly re-checks of active keys.
How is this different from GitHub Secret Protection?
GitHub Secret Protection is priced per active committer on GitHub. SecretSweep uses flat plan tiers instead, works with any GitHub plan, and paid plans can also scan GitLab and Bitbucket repositories.
Is my source code stored?
No. Your repo is cloned to an isolated temp directory, scanned, and immediately deleted. Code never persists after the scan. Read our security practices.
How does this compare to TruffleHog?
TruffleHog is an excellent open-source scanner with 800+ secret types supported. SecretSweep uses Gitleaks (130+ rules, MIT) and layers on the managed service: one-click GitHub setup, persistent dashboard, auto-scan on push, email alerts, and verification.
Does it work with private repos?
Yes. GitHub users pick exactly which repos to grant the App access to. Pro and Power can also connect private GitLab and Bitbucket repos via OAuth. Private repos are supported across all three platforms.
What is CI/CD log scanning?
Secrets often leak through build logs, not just source code. Power scans GitHub Actions, GitLab Pipeline, and Bitbucket Pipeline logs for leaked credentials from enabled repo pages, and can scan completed runs automatically when provider webhooks are configured.
Can I add my own detection patterns?
Yes on Power. Team rules let you define team: regex detections for internal token formats, preview them before saving, audit every change, and apply them during server-side repo scans. The connected CLI API exposes the same rules for the private CLI release channel.
What happens after a secret is found?
For 17 supported providers (AWS, GitHub, GitLab, Stripe, OpenAI, Slack tokens, Slack webhooks, SendGrid, npm, DigitalOcean, Doppler, Netlify, Heroku, Notion, Cloudflare, Discord, Telegram), SecretSweep tests the secret against the real provider API to determine if it is still active. Active credentials are re-checked monthly with escalating alerts at 30/60/90 days. Nothing rots in a backlog.
Can I use this for SOC 2 / compliance?
Power ($19/mo) produces scan history, audit trail, and remediation tracking that support SOC 2, ISO 27001, PCI DSS, and NIST 800-53 evidence gathering. SecretSweep is a scanning tool, not a compliance authority. Consult your auditor.

Run one scan. See what your git history is still carrying.

Scan my repos Security practices

Free for 2 repos, no card. If the free tier catches one live key, it paid for itself at whatever your hourly rate is.