Secret Scanning
PastePrompt includes a local secret scanner that can run before copy or export when scanner mode is enabled. It is a review gate for generated context bundles, not a guarantee that a bundle is safe.
What the scanner does
The scanner reviews the bundle you are about to copy or export and reports likely sensitive values. Enable Balanced or Strict mode in Settings when you want this local preflight before source context leaves the app through the clipboard or an exported Markdown file.
Detector categories may include:
- Private-key patterns.
- API keys.
- Access tokens.
- Cloud provider credentials.
- Webhook secrets.
- OAuth-style client secrets.
.envstyle assignments.- High-entropy strings that look generated.
- Common credential names in code or configuration.
The exact detector set can change by release. Treat scanner results as a prompt for human review, not as a complete security assessment.
Why copy and export are the right scan points
Copy and export are the points where a local source bundle can become portable. Running the scanner at that moment gives you a chance to stop, redact, or exclude content before the bundle reaches the clipboard, disk, a cloud-synced folder, or an external LLM tool.
PastePrompt should not silently bypass this check for convenience. If an override exists, it should require an explicit user decision.
Warning severity
Warnings may be grouped by confidence or severity. For example, a private-key block is usually more sensitive than a low-confidence high-entropy string in a test fixture.
Severity does not prove a value is live, exploitable, or safe. It is a prioritization signal for review.
Response options
When the scanner reports a warning, use the safest option that still supports the review.
Redaction
Redaction replaces a detected value with a placeholder while keeping surrounding context. This is useful when the file is important but the exact credential value is not.
Redaction can change code semantics, so review whether the redacted value matters to the question you are asking the LLM.
Exclusion
Exclusion removes a file from the generated bundle. This is usually best for .env files, local configuration, credential dumps, private deployment files, and unrelated secrets.
If the excluded file is needed for the review, consider adding a sanitized excerpt manually in the prompt instructions instead of exporting the raw file.
Cancel
Cancel stops copy or export. Use this when warnings indicate the selection is unsafe, unclear, or broader than intended.
Copy anyway
If your build offers Copy anyway or an equivalent override, use it only after reviewing the warning and confirming the value is safe to share. This option should be treated as an explicit risk decision, not a normal path.
For client repositories or private audits, prefer redaction, exclusion, or cancel unless the warning is clearly a harmless fixture or placeholder.
False positives and false negatives
False positives are expected. Tests, examples, fixtures, docs, and placeholder strings can look like secrets.
False negatives are also possible. The scanner may miss:
- Custom credential formats.
- Short tokens.
- Encoded or split secrets.
- Secrets stored in binary files.
- Secrets generated at runtime.
- Values that are sensitive only in your organization.
A clean scanner result does not prove that a bundle contains no sensitive information.
Best practices
- Keep
.env, private deployment files, local credentials, and production config out of selected context. - Add PastePrompt-specific exclusions to
.pastepromptignore. - Review the generated bundle preview before copy or export.
- Treat secret scanner warnings as blockers until you understand them.
- Avoid pasting secrets into LLM tools, even trusted ones.
- Use test fixtures with obviously fake values when possible.
- Re-run the scanner after changing selection, format, prompt instructions, or Git diff context.