SecurityJune 4, 2026 · 6 min read

How to Find Hardcoded API Keys in Your GitHub Repo

A single leaked key can cost thousands or breach your users. Here's how to find hardcoded secrets in your repository, rotate them safely, and make sure it never happens again.

TL;DR

Scan your repo for secrets, rotate any exposed key immediately, move secrets to environment variables, and add a CI gate. Run a free secret scan.

Why hardcoded secrets are so dangerous

Once a secret is committed, it lives in your git history forever — even if you delete it in a later commit. If the repo is public (or ever becomes public), bots scrape it within minutes. Leaked keys lead to cloud-bill fraud, data theft, and account takeover. It maps to OWASP A02: Cryptographic Failures.

What a leak looks like

// ❌ Secret committed to source control
const stripe = new Stripe('sk_live_51H8x...Q7r8')
const db = 'postgres://admin:S3cr3t@db.prod:5432/app'

Common offenders: AWS keys, Stripe keys, database URLs, JWT secrets, GitHub tokens, and private keys (.pem).

How to find them

1. Scan the codebase

Use a secret scanner that checks every file (not just changed lines) against known key formats and high-entropy strings. SwarmFlow's Secret Scanner is deterministic — high recall on known formats, near-zero false positives in our benchmark.

2. Search git history

A secret removed in a recent commit is still in history. Tools like git-secrets or trufflehog scan past commits; assume anything ever committed is compromised.

3. Check config & env files

Look in .env, config.json, docker-compose.yml, CI YAML, and .claude/ — secrets hide outside source files too.

Find every leaked key in your repo in 30 seconds.

Run a free secret scan

How to fix a leak (in order)

  1. Rotate first. Revoke and regenerate the exposed key at the provider. Removing it from code is not enough — assume it's already stolen.
  2. Move to environment variables. Load secrets from process.env and add .env to .gitignore.
  3. Purge history if needed. For highly sensitive keys, scrub git history (e.g. git filter-repo) — but rotation is what actually protects you.
  4. Add a CI gate. Block future leaks before merge.
// ✅ Load from environment, never commit .env
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY)
const db = process.env.DATABASE_URL

Prevent future leaks

Add the SwarmFlow GitHub Action so every push and pull request is scanned — the build fails if a new secret is introduced, stopping leaks before they reach main.

Scan for leaked secrets now

Free, no credit card. Your code is processed in-memory and never stored.

Start Scanning Free