scanner docs insights pricing sign in
00 / Public repo scanner

Find exposed API keys before they become incidents.

Paste a public GitHub repo and VaultProof checks current files, recent history, risky config, and security hygiene in the same restrained system as the main dashboard.

01
secrets

Detect API keys across LLM, cloud, payment, email, database, and observability providers.

02
history

Search recent commits so leaked values do not hide in old snapshots.

03
hygiene

Flag risky files, weak patterns, and missing project guardrails.

free / no login

Scan a repo

live

Example:

Scans up to 500 files and 50 commits of history.

~/scan.public
>fetch repo treeready
>match provider patternsauto
>review recent history50
01 / What gets checked

A quick public pass across secrets, risky files, code smells, and repo hygiene.

keys

Leaked API keys

Current files and history are checked for common production tokens.

  • OpenAI, Anthropic, Google AI
  • AWS, Google Cloud
  • Stripe, SendGrid, Resend
  • GitHub, npm, Slack, Datadog
  • Supabase, MongoDB, Neon
files

Risky commits

Sensitive project files are called out even when values are not parsed as provider keys.

  • .env files
  • Private keys and pem files
  • Cloud credential folders
  • Service account JSON
  • Database dumps and backups
code

Code smells

The scanner looks for high-signal patterns that often deserve a second review.

  • eval and Function constructors
  • Unsafe HTML writes
  • Weak crypto choices
  • CORS wildcards
  • SQL string concatenation
repo

Hygiene checks

Basic repository guardrails are checked alongside the secret scan.

  • .gitignore
  • LICENSE
  • SECURITY.md
  • README.md