Replying to @rid
If you're using AI to write code, you're probably shipping secrets too. It's more common than you'd think.
It takes minutes for bots to start using your AWS account to mine crypto. Many startups have been greatly affected by this, some even needing to close.
Over 28 million secrets like API keys found in GitHub repositories in 2025, 34% more than in 2024. And even if you're doing everything right to store them, they can still end up in places where end-users can find them.
It's probably a good idea to scan your code for secrets before going live. You can do so for free locally with Trestle.
yeah appreciate the idea of checking vibecoded products for security leaks and hardcoded keys, but literally what stops a possible user from just using Claude to audit and check the backend, and just tell it to replace any keys and put them in an .env and add to .gitignore? like it’s a pretty straight-forward process that could be done by raising awareness towards vibecoders, not a 40$ pro plan
You're right, that would be ideal in a vibecoded application, but this is not currently happening and millions of secrets do end up in production, more and more each year. Secret scanning can go a long way to prevent that. The app doesn't even have to be vibecoded, mistakes happen in traditional apps too, especially secrets that leak to the frontend when using isomorphic frameworks like Next.js or SvelteKit.
The scanner is free and open source. The Pro plan adds explanations for each found secret, instructing the AI or human what to do to fix it, plus variable tracking to help prevent secrets leaking to the frontend. Everything else is part of the free version. Pro costs $14/month.