KeySentry — Find leaked API keys & secrets in any GitHub repo. No mercy.
By Aditya Bhatt | API Security | Python CLI | Secrets Detection
API key leaks are one of the most overlooked yet devastating vulnerabilities in today’s codebases. From AWS credentials accidentally pushed to GitHub to .env files exposing secrets in public repositories — these slips can lead to full account compromise, service misuse, and financial damage.
That’s why I built KeySentry, a CLI tool designed to hunt down leaked API keys and sensitive files — both in public GitHub repositories and local projects — before malicious actors get to them.
KeySentry is an open-source, ligtweight yet powerful scanner that lets you quickly detect leaked secrets in codebases. Inspired by platforms like UnsecuredAPIKeys.com, KeySentry gives you full control — fast, local, and private.
- 🧠 Regex + entropy-inspired key matching
- 🗂️ Flags sensitive files (
.env,credentials.json,id_rsa, etc.) - 💾 Outputs to structured JSON logs
- 📁 Works with GitHub URLs or local folders
- 🧩 No GitHub API tokens required
KeySentry can be cloned from My GitHub.
When you run KeySentry, it performs the following steps:
- Input Selection: You provide either a GitHub repo (
--repo) or a local directory (--local). - Cloning (if repo): The target repo is cloned into a temporary directory.
- Scanning: Each file is read and searched for known patterns of secrets and filenames.
- Detection: Results are de-duplicated and stored in a JSON file.
- Logging: Each match is printed to the terminal with proper highlighting.
Under the hood, it uses a combination of:
- Carefully crafted regular expressions for 25+ key formats.
- Scans for sensitive filenames like
.env,.aws/credentials, etc. - A simple file-walker to traverse all project files.
✅ API Key Patterns
KeySentry is built to recognize leaks of:
- AWS Access Keys (AKIA…)
- Google API Keys
- Slack, Stripe, SendGrid, Twilio tokens
- OpenAI, Heroku, Mailgun, Firebase credentials
- GitHub PATs (Personal Access Tokens)
- DigitalOcean, Cloudflare, JWTs, Facebook tokens
- Azure, Dropbox, Notion, Netlify, Terraform Cloud, CircleCI, BasicAuth URLs
- RSA Private Keys and Base64-encoded blobs
🗃️ Sensitive Files
It also flags risky files like:
.env,.env.local,.aws/credentials,.dockercfgcredentials.json,firebase.json,id_rsa,.pypirc,.npmrc
These files should never be committed or publicly exposed.
- 🧪 Audit before commit: Run scans before pushing code.
- 🔍 Harden your GitHub repos: Quickly scan public-facing projects.
- ⚠️ Prevention over reaction: Stop leaks before attackers find them.
- 👨💻 Built for red teams, bug hunters and developers.
Scan a GitHub Repository
python KeySentry.py --repo https://github.com/username/repo-name --output results.jsonScan a Local Directory
python KeySentry.py --local /path/to/codebase --output local_results.jsonHelp Command
python KeySentry.py -hGitHub Scan
Local Scan
Help Menu
[
{
"file": "/tmp/tmpabcd1234/app/settings.py",
"type": "AWS",
"match": "AKIAIOSFODNN7EXAMPLE"
},
{
"file": "/tmp/tmpabcd1234/.env",
"type": "Sensitive File",
"match": ".env"
}
]Secrets get leaked more often than you’d think — and when they do, it’s often too late. With KeySentry, you’re empowered to find those slips fast, locally, and securely.
Stop key leaks before they cost you. Scan it with KeySentry.
This tool is for ethical security auditing only. Do not scan repositories you do not own or lack explicit permission to analyze.
Another tool released, another layer of defense added.
Secrets don’t leak on their own — they slip past distracted eyes and rushed commits.
KeySentry was built for one mission:
Catch them before they cost you.
Whether you’re scanning open-source repos or internal codebases, always remember — exposed keys are an attacker’s golden ticket.
This isn’t the end — just another checkpoint in your security journey.
— Aditya Bhatt
Cybersecurity Researcher | Bug Bounty Hunter | VAPT Specialist