Security in the AI Era

The AI coding boom has a dirty secret

LLMs generate code at unprecedented speed. But speed without guardrails means more secrets in more places, committed faster than ever before. GitHub reports millions of leaked secrets on public repos every year — and the AI-assisted era is accelerating that trend.

The Problem: .env Files Were Never Secure

Every developer knows the drill: copy .env.example, paste in real credentials, hope nobody commits them. It worked when teams were small and deploys were manual. But in the age of vibe coding — where AI assistants scaffold entire projects in minutes — the cracks are showing:

  • 1.LLMs generate placeholder secrets that developers replace with real keys — often forgetting to gitignore the file.
  • 2..env files are plaintext on disk. Anyone with file access — including malicious dependencies — can read them.
  • 3.No audit trail. When a key leaks, you can't tell who had access, when it changed, or which environments were affected.
  • 4.Sharing via Slack/email. New team member? DM them the .env file. That secret now lives in two chat logs, three email threads, and a screenshot.

Catch It Before It Ships: secr scan

secr scan detects leaked secrets in your codebase using 20+ regex patterns for AWS, Stripe, GitHub, OpenAI, Anthropic, database URLs, and more. It runs locally — no network, no auth, zero configuration.

$ secr scan

 

  ✗ Found 3 potential secret(s)

 

  src/config.ts

    [HIGH] AWS Access Key ID  L12:5

           AKIA************MPLE

    [HIGH] Stripe Live Secret Key  L28:18

           sk_l********************012m

  .env.production

    [HIGH] Database URL with Password  L3:1

           post********************5432

 

  3 high, 0 medium, 0 low | 142 files scanned in 87ms

  Tip: Run `secr guard install` to prevent committing secrets.

Never Commit Secrets Again: secr guard

One command installs a git pre-commit hook that scans staged files before every commit. If secrets are detected, the commit is blocked with a clear explanation.

$ secr guard install

  ✓ Pre-commit hook installed!

  .git/hooks/pre-commit

$ git commit -m "add config"

  ✗ Found 1 potential secret(s)

    [HIGH] OpenAI API Key  L5:1

  Commit aborted. Remove the secret and try again.

The Full Solution: Beyond Scanning

Scanning catches mistakes. secr prevents them entirely:

Encrypted at rest

Secrets are stored encrypted with AES-256-GCM. Project keys are managed by AWS KMS or a local provider.

Zero-disk injection

`secr run` injects secrets into your process environment without ever writing a .env file to disk.

Team sync

Invite your team with role-based access. Viewers can see dev, developers get staging, admins get production.

Full audit trail

Every read, write, and delete is logged with who, when, and from where. Meet compliance requirements.

Get started in 30 seconds

npm i -g @secr/cli

secr scan

secr guard install

Create Free AccountSee All Features