tools/security/secret_leak_finder

securityv0.9.0free

fizzgig__secret_leak_finder

finds hardcoded api keys, tokens, and provider secrets in your source.

scans your code against 29 distinct credential patterns covering auth providers (Supabase JWT/secret/publishable), payment processors (Stripe live/test/restricted), AI APIs (OpenAI, Anthropic), code hosting (GitHub PAT/fine-grained/app), cloud providers (AWS access+secret, GCP service account, Google API), communications (Slack, Twilio, SendGrid, Mailgun, Resend), cryptographic primitives (PEM keys, JWT bearers), database connection URIs (postgres://, mysql://, mongodb+srv://), framework footguns (NEXT_PUBLIC_-prefixed admin keys, Mapbox secret tokens), and a generic catch-all. Runs before the commit lands — sticky tool, run before every deploy.

● live● v0.9.0● free

// input schema

schema · application/json

{

"type": "object"

"required": [

"project"

]

"properties": {

"project": {

"type": "string"

"description": "the project slug or path"

}

"strict": {

"type": "boolean"

"default": false

"description": "fail on warnings, not just errors"

}

// output schema

schema · application/json

{

"type": "object"

"properties": {

"ok": {

"type": "boolean"

}

"findings": {

"type": "array"

"items": {

"type": "object"

"properties": {

"severity": {

"enum": [

"info"

"warn"

"high"

"critical"

]

}

"message": {

"type": "string"

}

"fix": {

"type": "string"

}

// example call from cursor

~/myapp — example output

→ fizzgig__secret_leak_finder(project="myapp")

{

"ok": false,

"findings": [

{ "severity": "high",

"message": "policy uses user_id without auth.uid()",

"fix": "USING (auth.uid() = user_id)" }

"scanned": 3, "duration_ms": 142

}

// reviews

@maya.codes★★★★★

2 days ago

caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.

@solo_at_3am★★★★★

1 week ago

first tool i installed. it's the one that pays for itself.

@vibebuilder★★★★☆

2 weeks ago

works great. one false positive on a join table — easy to ignore.

// primary action

add to your editor

paste this into your mcp config.

.cursor/mcp.json

{
  "fizzgig": {
    "url": "https://mcp.fizzgig.ai",
    "tools": ["secret_leak_finder"]
  }
}

full setup guide →

// pricing

free

unlimited calls on the free tier.

// related tools