Loading .git Secret Scanner...
Upload an exposed .git directory and scan its objects and history for leaked secrets, API keys, and credentials. Runs entirely in your browser.
When a website accidentally exposes its `.git` directory, the entire source history can be recovered - including secrets that were committed and later "removed". Tools like git-dumper download those files; this tool handles the part that matters once you have them: reconstructing the objects and hunting for leaked credentials. Upload a `.git` folder and the scanner: - inflates every git object (loose and packed, resolving deltas) - reconstructs file names from tree objects - scans all file contents, commits, and metadata for secrets Nothing is uploaded - the entire scan runs locally in your browser.
Input:
.git/ directory (config, objects, refs, packs)
Output:
AWS access key id - config/settings.py:12 - AKIAIOSFODNN7EXAMPLE
Can it download a .git directory from a URL for me?
No. Browsers enforce CORS, which prevents a web page from fetching files from another site. Use a tool like git-dumper or wget to download the exposed .git directory first, then upload the resulting files here to scan them.
Does it handle packed repositories?
Yes. It parses .pack files and resolves both offset-deltas and reference-deltas, so secrets stored only inside packs are still recovered.
Are my files uploaded anywhere?
No. All inflation, object reconstruction, and scanning happen in your browser using JavaScript. Your files never leave your device.
What kinds of secrets does it detect?
Private key blocks, AWS access keys, GitHub/Slack/Stripe/Twilio/Google tokens, JWTs, URLs with embedded username:password, generic api-key/secret/token assignments, and .env-style KEY=value secrets.
Is a clean result a guarantee there are no secrets?
No. The scanner uses a pattern ruleset and can miss custom or obfuscated secrets. Use it as a fast first pass, not a definitive audit.