Simple CLI tool, one Python file, no setup. Point it at a repo and it
finds leaked API keys (OpenAI, Anthropic, AWS, GitHub, Stripe, etc.)
and gives you the direct link to revoke each one.
Built it because I kept generating code with AI assistants and worrying
about keys ending up in the wrong place. Its offbrand TruffleHog.
I believe another approach is to detect high-entropy strings rather than using a hard-coded list of prefixes. I’m curious about the rate of false positives, though: just because there’s - say - a hash or a GUID doesn’t mean it’s credentials. Combining both approaches would potentially work well.