Secret Scanner

The secret scanner can check generated context before copy or export when scanner mode is enabled. It helps reduce the chance that credentials, tokens, keys, or other sensitive strings leave your machine through an LLM workflow.

What it does

PastePrompt scans the selected bundle before copy or export and reports potential secrets when you enable Balanced or Strict scanner mode. Detectors may include patterns for common credentials and high-risk strings, such as:

• Private keys.
• API keys.
• Access tokens.
• Webhook secrets.
• Cloud provider credentials.
• .env style assignments.
• High-entropy strings that look like generated credentials.

Warnings should include enough context for you to decide what to do without exposing more source content than necessary.

Why it matters

PastePrompt is local-first, but copying a bundle into an external LLM tool is still a user-controlled data transfer. Secret scanning is a guardrail before that transfer happens.

It helps you:

• Catch obvious credentials before paste or export.
• Remove sensitive files from the selection.
• Redact risky values where supported.
• Stop and inspect the repository before sharing context.
• Keep local-first workflows aligned with client and team expectations.

Secret scanning helps reduce risk. It does not guarantee that every secret or sensitive value will be detected.

How to use it

1. Select files and instructions for the bundle.
2. Enable Balanced or Strict scanner mode in Settings.
3. Choose copy or export.
4. Review any scanner warnings before continuing.
5. For each warning, choose the safest available action:
   • Redact the detected value when the file is otherwise needed.
   • Exclude the file when it is not necessary for the review.
   • Cancel the copy/export and inspect the repository manually.
   • Copy anyway only if the app offers an explicit override and you have verified the value is safe to share.
6. Re-run copy or export after redaction or exclusion.

Warning severity

Warning severity should help prioritize review. A private-key pattern is usually more urgent than a low-confidence high-entropy string. Severity is not a legal or compliance classification, and it is not proof that the value is live or exploitable.

Redaction, exclusion, cancel, and copy anyway

Redaction keeps the surrounding file context but replaces the detected value. Exclusion removes the file from the generated bundle. Cancel stops the operation so you can review manually. Copy anyway, if available, should be an explicit user decision and should never happen silently.

For client code, production repositories, or private audits, prefer redaction, exclusion, or cancel unless you are certain the warning is a false positive or safe test fixture.

Example workflow

1. Select src/, test/, and .env.example.
2. Generate a Markdown bundle.
3. The scanner flags a high-confidence API key pattern in .env.example.
4. Open the preview and confirm it is a realistic placeholder, not a live credential.
5. Redact the value or exclude the file.
6. Export the bundle after the scanner passes or only expected warnings remain.

Limitations

• Secret scanners can miss secrets, especially custom formats, short tokens, encoded values, split strings, generated credentials, or secrets stored in binary files.
• False positives are expected, especially in tests, fixtures, examples, and documentation.
• A clean scan does not mean the bundle is safe to share.
• Redaction can change code semantics if the redacted value is important to the review.
• Exported bundles and clipboard contents can still be copied, synced, logged, or stored by other tools outside PastePrompt.

Related docs

• Secret scanning security model
• Clipboard and export risks
• Secret scanner warnings
• Exporting context