Loading repository data…
Loading repository data…
Amal-David / repository
Runtime leak detector for modern web apps — finds exposed API keys, validates BaaS misconfigurations (Supabase/Firebase RLS), and catches secrets in JS bundles. Chrome extension + CLI.
Runtime leak detector for modern web apps. Finds exposed API keys, validates BaaS misconfigurations (Supabase RLS, Firebase Security Rules), and catches secrets in JavaScript bundles -- with a Chrome extension for real-time detection.
Static scanners find hardcoded secrets in source code. KeyLeak finds the ones that only appear at runtime -- and then proves they're exploitable.
pip install keyleak-detector
keyleak browser-scan https://your-app.vercel.app --html > report.html
Or with uv (faster):
uv pip install keyleak-detector
# or run directly without installing:
uvx keyleak-detector browser-scan https://your-app.vercel.app --html > report.html
Add to any repo to scan preview deployments automatically:
# .github/workflows/keyleak.yml
name: KeyLeak Security Scan
on: [deployment_status]
jobs:
keyleak:
if: github.event.deployment_status.state == 'success'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Amal-David/keyleak-detector@v0.5.0
id: scan
with:
mode: browser
url: ${{ github.event.deployment_status.target_url }}
baas-validate: true
fail-on: high
Works with Vercel, Netlify, Render, Railway — anywhere a preview URL is generated. See full GitHub Action docs for all options, SARIF upload, and local-only scanning.
1. Open chrome://extensions
2. Enable "Developer mode"
3. Click "Load unpacked" → select the extension/ folder
Browse any site. The extension icon shows a badge count for findings. Click to see details, TEST keys live, and view remediation.
git clone https://github.com/Amal-David/keyleak-detector.git
cd keyleak-detector
# With poetry
poetry install && poetry run playwright install chromium
# Or with uv
uv sync && uv run playwright install chromium
# Scan a single page
keyleak browser-scan https://your-app.vercel.app --html > report.html
# Scan with BaaS validation (tests Supabase RLS, Firebase rules)
keyleak browser-scan https://your-app.vercel.app --baas-validate --html > report.html
# Full Site Scan — subdomain enumeration (subfinder/amass if installed + crt.sh + DNS) + multi-page crawl
keyleak site-scan example.com --depth 3 --max-pages 100 --max-subdomains 50 --baas-validate --html > report.html
# A deep scan auto-installs subfinder if it's missing (brew → pinned `go install`), then uses it;
# pass --no-auto-install (or set KEYLEAK_NO_AUTO_INSTALL=1) to stay on crt.sh + DNS only.
# amass is also auto-used if present. `keyleak doctor` reports which enumerators are active.
# Scan local files for secrets
keyleak local . --fail-on high
# Output formats: --json, --sarif, --markdown, --html
Route a scan's outbound traffic through a proxy with the global --proxy flag
(off by default). It covers every outbound path of a scan — crt.sh subdomain
lookups, the Playwright crawl, and BaaS validation probes:
# Cloudflare WARP (recommended): a free, local SOCKS5 proxy.
# warp-cli set-mode proxy && warp-cli connect
keyleak --proxy warp site-scan example.com
# Tor (socks5://127.0.0.1:9050)
keyleak --proxy tor site-scan example.com
# Any explicit proxy URL — http://, https://, or socks5://
keyleak --proxy socks5://127.0.0.1:1080 browser-scan https://your-app.vercel.app
Notes:
--proxy is a global flag, so it must come before the subcommand
(like --offline).socks5:// proxies need PySocks (pip install requests[socks]); the warp
and tor aliases are SOCKS5.--proxy warp coexists with --offline. A
non-loopback proxy is rejected under --offline. The local KeyLeak web bridge
is never proxied.The --html flag generates a self-contained dark-theme vulnerability report:
| Category | What | How |
|---|---|---|
| BaaS misconfig | Open Supabase tables, missing RLS, public storage buckets, callable RPCs | Active validation -- probes the REST API with only the anon key |
| BaaS providers | Supabase, Firebase, Appwrite, PocketBase | Config extraction from minified JS bundles |
| API keys | OpenAI, Anthropic, Gemini, Stripe, GitHub, AWS, and 20+ more | Regex detection + live TEST validation |
| JWT analysis | service_role exposure, admin flags, broad scopes, long expiry | Decode + claims analysis (no verification needed) |
| Client-side auth | isAdmin === true checks in browser JS | Pattern detection in bundles |
| Write access | Tables accepting INSERT/UPDATE without auth | Prefer: tx=rollback probing (never creates data) |
| Auth config | Missing email confirmation, exposed auth settings | Supabase auth endpoint probing |
| Supply chain | Malicious npm lifecycle hooks (download-and-exec, base64/PowerShell/Bun stagers), Git-ref/tarball deps — incl. inside node_modules | Structured manifest scan (Shai-Hulud / Miasma class) |
| Attack chains | Individual findings correlated into real attack paths (e.g. anon key + RLS-less table = unauth exfil) | Correlation engine over the merged findings |
| CI/CD hardening | Unpinned GitHub Actions / reusable workflows / docker:// tags, permissions: write-all, secrets echoed in run: | Workflow-file detectors |
| Local files | .env, MCP configs, CI workflows, Docker files, source maps | keyleak local scanner |
A patch release for finding identity, report reliability, and dependency hardening. Full notes in CHANGELOG.md.
mitmproxy import failures are preserved/logged while proxy mode
falls back to the disabled path when unavailable.A security-and-usefulness release. Full notes in CHANGELOG.md.
keyleak bundles and --bundle <id> run named groups of
checks (secrets, baas, authz, recon, deep, …) instead of "everything or nothing".preinstall/
postinstall/prepare scripts and git-ref deps inside node_modules (the
Shai-Hulud / Miasma / Bitwarden-CLI supply-chain class) that the regex pack skips.write-all, secret echo.pull_request-triggered, SHA-pinned workflow running the test suites +
launch-gate.keyleak site-scan + web UI button) with crt.sh + DNS subdomain enumeration, multi-level crawl, and per-finding page provenance--html)baas pack detectorsThe Chrome extension suppresses findings from 200+ first-party domains (Google, AWS, Azure, GitHub, Stripe, etc.), 87 vendor CDN scripts, cloud storage signed URLs, and infrastructure headers. Despite this, you may encounter false positives on sites we haven't seen yet.
If you find a false positive, please report it. Open an issue with:
We actively review reported FPs and add suppression rules. The more sites you browse with the extension, the better the suppression gets.
Every serious scan should lead to four