Find leaked credentials in your code and git history.
Deleting a secret from your codebase doesn't remove it from git history. Lumstep uses Kingfisher to scan both your working tree and every commit in your repository's history - including files that were deleted long ago. It detects API keys, OAuth tokens, private keys, passwords, connection strings, and CI/CD secrets across 200+ service patterns, and where the provider API allows it, validates whether each credential is still active.
How Lumstep's secret scanning works
Lumstep scans your current code and your entire git history - with no configuration on your end.
Full history scan
Kingfisher traverses your entire git history on each scan - every commit, every branch, including deleted files - and checks for credentials matching 200+ service-specific patterns.
Live validation
For providers that expose a validation endpoint, Lumstep tests each detected credential to determine whether it is still active or has already been revoked.
Precise report
Each finding is reported with the exact file, line, commit hash, and credential type. Your team gets actionable information, not a list of maybes.
Git history is fully covered
A secret committed three years ago and deleted the next day is still in your repository. Lumstep scans every commit, not just the current state of the files - so a credential that was "cleaned up" but never rotated is caught.
Live validity checks
For supported providers - AWS, GitHub, Stripe, Slack, Google Cloud, and others - Lumstep tests whether the detected credential still works. A live key that needs revoking is not treated the same as a key that was already rotated.
Exact location, no noise
Every finding includes the file path, line number, and the commit hash where the secret appeared. High-precision patterns and entropy-based filtering mean you get real findings, not a list of false positives to wade through.
Flagged within minutes of the push
Every push triggers a full scan. Exposed secrets are flagged long before a periodic scanner or manual review would catch them - while the exploitation window is still closed.
Scan your history for exposed credentials.
Free early access. Detection covers your full history from the first scan.