Scans projects for secret exposure: leaked API keys, unprotected .env files, and secrets in logs.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"secret-scanner": {
"args": [
"-y",
"env-secret-exposure-analyzer-mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Your AI agent is one debug session away from leaking your secrets.
No automated test available for this server. Check the GitHub README for setup instructions.
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
No package registry to scan.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in other
Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.
Compress tool outputs, logs, files, and RAG chunks before they reach the LLM. 60-95% fewer tokens, same answers. Library, proxy, MCP server.
97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server
Autonomous spec-to-product coding-agent CLI with an MCP server exposing 34 tools over stdio.
MCP Security Weekly
Get CVE alerts and security updates for io.github.vola-trebla/env-secret-exposure-analyzer-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Your AI agent is one debug session away from leaking your secrets.
MCP server that scans your project for secret exposure risks — hardcoded API keys, unprotected .env files, and console.log calls that print credentials at runtime. Before your agent accidentally reads them out loud.
You ask your AI agent to debug a config issue. It reads src/config.ts. Inside:
console.log('Config loaded:', JSON.stringify(config));
console.log(process.env.DATABASE_PASSWORD);
The agent now has your database password in its context. It might log it, include it in a summary, or pass it to another tool. And your .env isn't in .gitignore, so the next git push will do the rest.
None of this requires the agent to be malicious. It just needs to be helpful.
env-secret-exposure-analyzer-mcp catches this before it happens. 🔐
scan_for_secretsScans source files, config files, and .env files for 20+ secret patterns. Returns file path, line number, severity, and a masked preview — never the full value.
Detects:
ghp_, gho_, ghs_)whsec_)SG.xxx), Twilio auth token + account SIDGOCSPX-)xox*)-----BEGIN ... PRIVATE KEY-----)postgres://user:pass@host)Secret Scan Results
Project: /project
Files scanned: 24
Findings: 5
[CRITICAL] .env:3 — AWS Access Key
Preview: AKIA****MPLE
[CRITICAL] .env:7 — Database URL with password
Preview: post****sswd
[CRITICAL] src/auth.ts:12 — Hardcoded JWT secret
Preview: my-s****ecret
[HIGH] .env:14 — Hardcoded session secret
Preview: sess****key!
[MEDIUM] .env:28 — Sentry DSN
Preview: http****7890
check_gitignore_coverageChecks whether sensitive files (.env, .env.local, secrets.json, private keys, certificates) are covered by .gitignore. Flags files that could be accidentally committed.
Gitignore Coverage Check
Project: /project
✗ .env → Add to .gitignore: .env
✗ .env.local → Add to .gitignore: .env.local
✓ secrets.json
scan_for_log_leaksScans source files for console.log / logger calls that print process.env variables or objects with secret-sounding names at runtime. Catches the most common "it's just a debug line" mistakes.
Log Leak Scan
Project: /project
Files scanned: 18
Findings: 3
[CRITICAL] src/config.ts:8
console.log("Config loaded:", JSON.stringify(config));
[HIGH] src/server.ts:42
console.log(process.env.AWS_SECRET_ACCESS_KEY);
[HIGH] src/db.ts:15
logger.info({ password: dbConfig.password });
A realistic .env with 20 secrets — database URLs, AWS, Stripe, Twilio, SendGrid, Google OAuth, Sentry, JWT secrets, encryption keys. Before this MCP: an AI agent reads the file, has no idea what's sensitive, and proceeds to use those values in generated code or responses.
After one scan_for_secrets call: 16 findings, all categorized by severity, all previews masked. The agent knows exactly what's dangerous before it touches anything.
{
"mcpServers": {
"secret-scanner": {
"
... [View full README on GitHub](https://github.com/vola-trebla/env-secret-exposure-analyzer-mcp#readme)