JSPM

@sealedkeys/scan

0.1.1
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 34
  • Score
    100M100P100Q7428F
  • License MIT

Blocks commits containing secrets. By SealedKeys.

Package Exports

  • @sealedkeys/scan
  • @sealedkeys/scan/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@sealedkeys/scan) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

@sealedkeys/scan

Blocks commits containing secrets. One command to install. Zero false positives on process.env.

npm install --save-dev @sealedkeys/scan
npx sealedkeys-scan install

That's it. Every commit in this repo is now checked before it goes anywhere.

What it catches

Secret type Example match
AWS Access Key AKIA••••••••MPLE
Stripe secret key sk_live_••••••••3456
GitHub token ghp_••••••••6789
SSH private key -----BEGIN RSA PRIVATE KEY-----
Google API key AIza••••••••••••
Slack webhook hooks.slack.com/services/T••••
Twilio key SK••••••••••••••
SendGrid key SG.••••••••••••
Database URL with password postgres://user:••••@host
Generic API key assignment api_key = "••••••••"
.pem / .key files blocked by extension
.env files blocked by filename

Safe values — process.env.API_KEY, os.environ.get(...), template literals — are allowlisted automatically.

What it looks like

🔴 SealedKeys Scan blocked this commit

  ✗ src/config.js (line 14)
    Stripe Secret Key: sk_l••••••••3456

  ✗ deploy/keys/id_rsa — blocked extension: .pem

2 issues found. Remove secrets before committing — store them in your vault instead.

  Store secrets securely: https://sealedkeys.com
  False positive? Add the path to .sealedkeysscanignore

The commit is blocked. Exit code 1.

Ignore false positives

Create .sealedkeysscanignore in your repo root:

# One path or pattern per line
tests/fixtures/
mocks/fake-credentials.js

Commands

npx sealedkeys-scan install     # Install pre-commit hook
npx sealedkeys-scan uninstall   # Remove the hook
npx sealedkeys-scan check       # Run manually on staged files
npx sealedkeys-scan --help

How it works

  1. Runs as a git pre-commit hook — before every git commit
  2. Gets staged files via git diff --cached --name-only
  3. Reads staged content via git show :<file> — checks exactly what's being committed, not your working directory
  4. Runs 18 regex patterns against each line
  5. Exits 1 (blocks commit) if anything is found

Zero network calls. Fully offline. Adds under 200ms to your commit.

Store secrets properly

SealedKeys Scan tells you when a secret is in the wrong place.
SealedKeys gives your team somewhere safe to put it instead.

Zero-knowledge vault for passwords, API keys and SSH keys. Scan is included free with every Pro plan.

sealedkeys.com

License

MIT