Every developer has been there. You’re pushing code at 2 AM, eyes half-shut, and without realizing it — that API key you hardcoded “just for testing” is now sitting in your public GitHub repo. And just like that, it’s out there. Leaked secrets are one of the biggest sources of breaches today. From AWS keys to database credentials, once they hit the public GitHub firehose, attackers with automated scanners pick them up within minutes. biggest sources of breaches today That’s where EnvScanner 2.0 comes in. EnvScanner 2.0 The Idea Behind EnvScanner 2.0 When I looked at existing secret scanners, I saw two problems: False positives everywhere. Regex-only scanners scream about anything that looks like a key (even harmless fake values). Performance issues. Many scanners are too heavy for small servers or can’t keep up with real-time GitHub events. False positives everywhere. Regex-only scanners scream about anything that looks like a key (even harmless fake values). False positives everywhere. looks Performance issues. Many scanners are too heavy for small servers or can’t keep up with real-time GitHub events. Performance issues. So I set out to build a proof-of-concept DevSecOps tool that could: proof-of-concept DevSecOps tool Ingest real-time GitHub events Detect possible secrets intelligently Validate them with AI (Google Gemini) to minimize false alarms Run efficiently, even on low-resource machines Ingest real-time GitHub events real-time GitHub events Detect possible secrets intelligently Validate them with AI (Google Gemini) to minimize false alarms AI (Google Gemini) Run efficiently, even on low-resource machines The result: EnvScanner 2.0. | https://envscanner.vercel.app EnvScanner 2.0 https://envscanner.vercel.app How It Works (Architecture) EnvScanner 2.0 follows a multi-stage pipeline: multi-stage pipeline Event Ingestion → Continuously polls the public GitHub /events API. Memory-Efficient Queuing → Transforms heavy GitHub events into lightweight objects stored in a capped in-memory queue (so it won’t blow up RAM). File Filtering & Fetching → Ignores non-source files (images, binaries, docs). Secret Detection → Uses regex + entropy analysis + keyword matching + negative lookaheads to avoid obvious junk. AI Validation → Potential secrets go to Gemini API, which looks at the context and discards fake/local/test credentials. Storage & Display → Validated secrets are stored in MongoDB and shown on a live React dashboard via WebSockets. Event Ingestion → Continuously polls the public GitHub /events API. Event Ingestion /events Memory-Efficient Queuing → Transforms heavy GitHub events into lightweight objects stored in a capped in-memory queue (so it won’t blow up RAM). Memory-Efficient Queuing File Filtering & Fetching → Ignores non-source files (images, binaries, docs). File Filtering & Fetching Secret Detection → Uses regex + entropy analysis + keyword matching + negative lookaheads to avoid obvious junk. Secret Detection negative lookaheads AI Validation → Potential secrets go to Gemini API, which looks at the context and discards fake/local/test credentials. AI Validation Gemini API Storage & Display → Validated secrets are stored in MongoDB and shown on a live React dashboard via WebSockets. Storage & Display 💻 Tech Stack Area Tech Backend Node.js, Fastify, TypeScript, Mongoose, WebSockets Frontend React, Vite, Tailwind, GSAP, Material-UI Database MongoDB AI Google Gemini API Deployment PM2, Cloudflare Tunnels Area Tech Backend Node.js, Fastify, TypeScript, Mongoose, WebSockets Frontend React, Vite, Tailwind, GSAP, Material-UI Database MongoDB AI Google Gemini API Deployment PM2, Cloudflare Tunnels Area Tech Area Area Tech Tech Backend Node.js, Fastify, TypeScript, Mongoose, WebSockets Backend Backend Node.js, Fastify, TypeScript, Mongoose, WebSockets Node.js, Fastify, TypeScript, Mongoose, WebSockets Frontend React, Vite, Tailwind, GSAP, Material-UI Frontend Frontend React, Vite, Tailwind, GSAP, Material-UI React, Vite, Tailwind, GSAP, Material-UI Database MongoDB Database Database MongoDB MongoDB AI Google Gemini API AI AI Google Gemini API Google Gemini API Deployment PM2, Cloudflare Tunnels Deployment Deployment PM2, Cloudflare Tunnels PM2, Cloudflare Tunnels Performance Optimizations I wanted this to run even on a 512MB server. Here’s how: 512MB server Concurrency Limiting with p-limit → prevents CPU/memory spikes. Aggressive Timeouts → no getting stuck on slow file fetches. Memory-Efficient Queuing → lightweight event objects only. Blacklist Filtering → skips “junk” files like images and binaries. Concurrency Limiting with p-limit → prevents CPU/memory spikes. Concurrency Limiting p-limit Aggressive Timeouts → no getting stuck on slow file fetches. Aggressive Timeouts Memory-Efficient Queuing → lightweight event objects only. Memory-Efficient Queuing Blacklist Filtering → skips “junk” files like images and binaries. Blacklist Filtering The Frontend Dashboard The React + WebSocket frontend shows: Live event stream Current scan activity API rate limit status Newly discovered + AI-validated secrets Live event stream Current scan activity API rate limit status Newly discovered + AI-validated secrets It’s responsive, so you can monitor leaks in real-time from your laptop or phone. Why This Matters This project isn’t meant to replace enterprise-grade tools like GitGuardian or CloudSEK (they’re doing amazing work in this space). Instead, EnvScanner 2.0 is a proof of concept — showing how lightweight engineering + AI validation can make DevSecOps tools both smarter and more resource-friendly. GitGuardian CloudSEK EnvScanner 2.0 proof of concept Secrets leaking on GitHub isn’t slowing down anytime soon. My hope is that experiments like this push the ecosystem toward fewer false positives, more automation, and smarter validation. fewer false positives, more automation, and smarter validation Final Thoughts EnvScanner 2.0 started as a late-night experiment and turned into a full-stack project that I’m genuinely proud of. If you’re curious about the project or want to collaborate on improving it — feel free to reach out. Always open to feedback from the security and dev communities. Because at the end of the day, keeping secrets safe is everyone’s responsibility. keeping secrets safe is everyone’s responsibility
