If you need to scan my app for exposed secrets, start in four places: source files, commit history, built client assets, and deployment logs. That catches most real leaks before launch. A good review does more than pattern matching. It checks whether a value is public, still active, reachable from the browser, or preserved in Git after the file was deleted.
Start with these four checks
Most secret leaks come from a small set of review gaps. Check these first, in this order, before you spend time on edge cases.
- Working tree scan - search source, config, seed data, scripts, and copied examples for keys, tokens, and private certificates.
- Git history - inspect old commits for removed
.envfiles, pasted credentials, and temporary test values. - Built frontend assets - review compiled JavaScript, source maps, and public config for anything readable in the browser.
- Deployment logs - check build output, error traces, and debug prints for secrets that were never meant to leave the server.
This matters because leaks rarely stay in one place. A token can begin in a setup script, appear in a commit, then reappear in a bundle because a public variable name exposed it during build. By the time the app is live, attackers only need one readable copy.
Where secrets usually leak?
The repeat offenders are ordinary mistakes. A variable meant for the server is marked public, a sample credential survives from testing, or a failed deploy prints a secret in plain text. In AI-assisted projects, copied snippets often create public bundle exposure without anyone noticing.
Common cases include a hardcoded service key in browser code, a temporary test token committed during setup, or a deleted .env file that still exists in Git history. Another common pattern is a secret embedded in generated files that nobody reviews because only src was scanned.
If you want examples of these failure patterns, review these related guides on common security mistakes and this API leak scanner guide. They show how small configuration choices turn into public exposure.
Run a focused secret scan
A useful secret scan is narrow and concrete. You are not trying to prove the whole app is secure. You are trying to find credentials that can be copied, replayed, or abused right now.
- Search current files, including hidden files, generated output, and copied docs.
- Search commit history for deleted secrets and replaced values.
- Inspect the built app, especially files served to the browser.
- scan generated files like
.next,dist,build, uploaded bundles, and source maps. - validate live secrets before triage. A dead token is cleanup work, but a live one is an incident.
Use a quick command pass before manual review:
set -e
folders='src app pages api lib .next dist build'
rg -n --hidden -S '(api[_-]?key|secret|token|passwd|BEGIN PRIVATE KEY|AKIA[0-9A-Z]{16})' $folders
git log -p --all -- .env .env.* config* secrets* | \
rg -n '(sk_live_|service_role|webhook|token|secret)'
find .next dist build -type f 2>/dev/null | \
xargs rg -n '(NEXT_PUBLIC_|service_role|BEGIN PRIVATE KEY|sk_live_)'Pattern matching is only the first pass. After that, open the exact file, confirm whether the value reaches the client, and test whether the credential is still valid. A value in a private server file is different from the same value inside a public response, compiled asset, or preview deployment.
If you want this check folded into a broader release review, pair it with an AI app security audit so leaked credentials are checked alongside auth, storage, and deployment issues.
Fix leaks the right way
When a secret is exposed, rotate first. Assume it was copied. Replacing code without invalidating the credential leaves the real risk in place.
A deleted file is not a fix if the value remains in commit history, build artifacts, logs, or public bundles. Remove the exposed path, purge public artifacts, redeploy, and confirm the old credential no longer works.
After rotation, move the value to server-only configuration, reduce scope and expiry, and trim permissions to least privilege. If the browser needed direct access, that architecture is usually the problem. Replace it with a server proxy, signed requests, or short-lived tokens issued for one narrow action.
Also check blast radius. Ask which systems used the leaked value, which logs recorded it, whether it had write access, and whether downstream services trusted it. That determines whether you only need a key rotation or a wider incident response.
Prelaunch checklist that matters
Use this checklist right before release:
- Scan repository files, hidden files, and generated output.
- Review Git history for deleted
.envand config leaks. - Open built client assets and source maps.
- Review deployment logs, preview builds, and error traces.
- Rotate any live credential before shipping the fix.
- Rebuild, redeploy, and rescan the production response.
A good final check is to inspect what an unauthenticated visitor can fetch. If a secret, service key, or internal token can be recovered from public assets, the app is not ready to launch.
A secret leak is usually small in code and large in impact. Good scanning is fast: search current files, search history, inspect what the browser gets, then rotate anything real. Do that before launch and after every major deploy, especially when code was generated or heavily refactored.
Faq
Can a removed secret still be exposed?
Yes. If it was committed once, it can remain in Git history, build caches, preview deployments, logs, or source maps. Treat a removed key as exposed until you rotate it, purge public artifacts, and confirm the old value no longer works.
Should i rely on environment variables alone?
No. Environment variables protect server-side config, but they do not fix a secret already shipped to the browser, printed in logs, or committed to history. They also do not stop overbroad permissions. Use server-only storage, limited scopes, and a rescan after deployment.
How often should i run a secret scan?
Run one before every launch, after major dependency or prompt-driven refactors, and whenever someone changes auth, payments, storage, or webhooks. For active apps, add scanning to CI and repeat it on built assets and production responses, not just source code.
If you want a fast second pass before release, AISHIPSAFE can start with a security scan, then go deeper with deep scan when the app handles real user data.