This tool scans GitHub repositories for sensitive AI keys (API keys, secrets, etc.) in commit messages and diffs. It's designed to work as both a standalone Python script and as a Docker container.
The tool scans for API keys related to the following AI models and services:
- OpenAI User Key
- OpenAI Project Key
- Anthropic Key
- Google AI Key
- Mistral AI Key
- Cohere Key
- Stability Key
- Replicate Key
- Hugging Face Key
- ElevenLabs Key
- Together AI Key
- Groq Key
- AI21 Key
- Baseten Key
- Pinecone Key
- Modal Key
- RunPod Key
- Banana Key
You can use this tool in two ways:
- Using Docker
- Running Python script directly
- Docker installed on your machine.
- GitHub personal access token for authentication.
- You can generate a GitHub token here.
-
Run the Docker image
Use the following command to scan a GitHub user's or organization's repositories:- Replace
GITHUB_TOKENwith your actual GitHub token. - Replace
your_username_or_orgwith the GitHub username or organization name you want to scan.
docker run -e GITHUB_TOKEN=ghp_your_actual_token 4us71n0/ai-key-scanner --user your_username_or_org --verbose --output jsonIf you want to scan all repositories of an organization instead of a user, use --org:
docker run -e GITHUB_TOKEN=ghp_your_actual_token 4us71n0/ai-key-scanner --org your_org_name --verbose --output text--verbose: Enable detailed output logs for debugging.
--output: Choose either json (for structured output) or text (for human-readable output).
--fast: Skip scanning commit diffs, only scan commit messages.
- Replace
Example output:
[
{
"repo": "repo-name",
"leaks": [
"[⚠️] OpenAI User Key in commit message: https://github.com/username/repo-name/commit/1234567890abcdef1234567890abcdef12345678\n ➤ Key found in message"
]
}
]
-
Install Python
You will need Python 3.x installed on your machine.
-
Install dependencies
Install the required Python libraries:
pip install -r requirements.txt
-
Set up the GitHub Token
You will need a GitHub personal access token to authenticate requests to the GitHub API.
Set the GITHUB_TOKEN as an environment variable before running the script:
export GITHUB_TOKEN=ghp_your_actual_token
-
Scan a GitHub user
Use the following command to scan a specific user:
python scanner.py --user your_username --verbose --output json
-
Scan a GitHub organization
If you want to scan an organization, use the --org flag:
python scanner.py --org your_org_name --verbose --output text
--org: Scan a GitHub organization.
--user: Scan a specific GitHub user.
--verbose: Enable detailed output logging.
--output: Choose either json or text output format.
--fast: Skip scanning commit diffs, only scan commit messages.
python scanner.py --user your_username --output json --verbose
Rate Limiting: GitHub API requests are rate-limited. If you hit the rate limit, you'll need to wait before making more requests. This can be mitigated by using a GitHub Personal Access Token (PAT).
Scanning Commits: This tool scans both commit messages and diffs for potential secret keys, such as API keys from popular services (OpenAI, Google, etc.). Privacy: Ensure that you are authorized to scan the repositories, as this tool will expose sensitive information if found.