As developers, we’ve all been there—pushing code in a rush, only to realize moments later that we’ve accidentally committed sensitive information. Maybe it’s an API key, a database password, or a token that should have stayed private. The fallout can range from mild embarrassment to a full-blown security breach.
This exact scenario happened to me. That one careless push led to hours of damage control: revoking keys, updating configurations, and patching vulnerabilities. It was frustrating, but more than that, it got me thinking: Why are we relying on post-commit tools to catch these mistakes? Why not prevent them before they even hit Git?
That’s when I decided to build SecretStack, a Visual Studio Code extension designed to solve this problem at its root.
The Problem: Secrets in Code
Exposing sensitive information in your code is a common yet costly mistake. While there are great tools like git-secrets and truffleHog that scan repositories for secrets, they often operate after the fact. By the time they flag something, the damage might already be done:
- The secret is in your commit history.
- It could be cached in forks or clones.
- Revoking and rotating keys becomes an urgent task.
In short, these tools are reactive, not proactive.
The Solution: SecretStack
SecretStack takes a different approach. It integrates directly into your coding workflow, scanning your files before you commit. The goal is simple: to help you catch exposed secrets early, so they never make it into your repository in the first place.
What Makes SecretStack Unique?
Here’s what SecretStack brings to the table:
1. Manual Scan Control
You’re in charge. With a single click on the Find Exposed Secrets button in the VSCode status bar, you can scan your entire workspace or specific folders. No automatic scans interrupting your workflow—just actionable insights when you need them.
2. Custom Pattern Detection
Every project is different, and so are the secrets it might contain. SecretStack lets you define custom regex patterns to detect specific types of secrets, like API keys, tokens, or internal credentials.
For example, you can add patterns like this to your settings:
"secret-stack.customPatterns": [
{
"name": "AWS Access Key",
"regex": "AKIA[0-9A-Z]{16}",
"severity": "High"
},
{
"name": "GitHub Token",
"regex": "ghp_[A-Za-z0-9_]{36}",
"severity": "Medium"
}
]
3. Real-Time Feedback
SecretStack provides instant, time-stamped updates during scans. You’ll know how many files were scanned and whether any secrets were detected, all without leaving your editor.
4. Comprehensive Logs and Reports
After every scan, SecretStack generates:
- A detailed log in
.secret-stack-result.log, showing which files were scanned and what was detected.
- A visual HTML report in
.secret-stack-report.html, summarizing detected secrets, their severity, and file locations. By default, these files are added to.gitignoreto prevent accidental commits.
5. Pre-Commit Scan Reminder
Ever forget to run a scan before committing? SecretStack has your back with a gentle nudge to run a quick scan before pushing your code.
6. Handling False Positives
Not every flagged item is a real secret. For example, test keys or mock data might trigger a false positive. SecretStack makes it easy to dismiss these by clicking Ignore in the results view. This keeps your logs clean and focused on real risks.
How to Get Started with SecretStack
1. Install the Extension
Search for SecretStack in the VSCode Extensions Marketplace and click Install. Alternatively, download the .vsix file from the GitHub repository and install it manually.
2. Run Your First Scan
Once installed, click the Find Exposed Secrets button in the status bar. Choose to scan:
- The entire workspace.
- A specific folder within your project.
3. Review and Resolve
The results view will highlight detected secrets, showing the file path and line number. You can:
- Click on a result to jump directly to the offending line.
- Mark false positives as ignored.
- Fix the exposed secrets before continuing.
4. Customize for Your Needs
Tailor SecretStack to your project by adding custom patterns or excluding irrelevant files (e.g., node_modules, .git).
"secret-stack.excludeFiles": [
"**/node_modules",
"**/dist",
"**/*.min.js",
"**/package-lock.json",
".git",
".vscode",
".secret-stack"
]
Why SecretStack?
This isn’t just a tool—it’s a philosophy. SecretStack encourages developers to adopt a proactive mindset about security. By catching mistakes early, you:
- Protect sensitive information from exposure.
- Save time and effort spent on post-commit fixes.
- Build better coding habits that prioritize security.
Let’s Build a Safer Workflow Together
I created SecretStack because I saw a gap—a need for better pre-commit secret detection. But no tool is perfect, and I believe the best ideas come from collaboration.
If this extension resonates with you, give it a try. Open issues, suggest features, or contribute directly to the code. Let’s make coding safer for everyone.
Check it out on GitHub: SecretStack
Your feedback and contributions could shape the future of SecretStack. Let’s catch those secrets before they catch us.
Top comments (0)