[connectsnk]

Are there any open source tools that scans the code and detects such gaffes

[UltraMagnus]

Not open source, but I have used this before, and they have a very generous free tier: https://www.gitguardian.com/monitor-internal-repositories-fo...

You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.

[unsungNovelty]

If you weren't aware of it... There is a world of static application security tools (SAST) which can help you. Add them to your text editor/ci/cd to use them.

https://owasp.org/www-community/Source_Code_Analysis_Tools

[EatonZ]

TruffleHog: https://trufflesecurity.com/trufflehog

I worked for them a little bit and their product is really impressive and works great.

[heretoread9000]

trufflehog is a good starting point, then bake in your own simple regex into your github actions or equivalent and make it part of your test suite

[vivzkestrel]

stupid question, can we not make a regex for searching API keys for particular APIs and do a brute force scan across the internet

[richbell]

There are a number of products and open source tools that do this. Look up "secret scanning".