Replying to @tudorp06
yeah appreciate the idea of checking vibecoded products for security leaks and hardcoded keys, but literally what stops a possible user from just using Claude to audit and check the backend, and just tell it to replace any keys and put them in an .env and add to .gitignore? like it’s a pretty straight-forward process that could be done by raising awareness towards vibecoders, not a 40$ pro plan
You're right, that would be ideal in a vibecoded application, but this is not currently happening and millions of secrets do end up in production, more and more each year. Secret scanning can go a long way to prevent that. The app doesn't even have to be vibecoded, mistakes happen in traditional apps too, especially secrets that leak to the frontend when using isomorphic frameworks like Next.js or SvelteKit.
The scanner is free and open source. The Pro plan adds explanations for each found secret, instructing the AI or human what to do to fix it, plus variable tracking to help prevent secrets leaking to the frontend. Everything else is part of the free version. Pro costs $14/month.