{"slug": "a-client-side-secret-scanner-that-physically-can-t-exfiltrate-your-code-and-why", "title": "A client-side secret scanner that physically can't exfiltrate your code (and why you shouldn't trust mine either)", "summary": "A developer built devguard-scan, a client-side secret scanner that runs entirely in the browser with zero dependencies and makes no network calls. The tool's source code contains no fetch, XMLHttpRequest, WebSocket, or sendBeacon calls, making data exfiltration physically impossible. The scanner uses 10 detection rules for common API keys and tokens, byte-for-byte matched against a canonical Python scanner to maintain detection coverage without requiring server trust.", "body_md": "There's an irony in most \"paste your config to check for leaked secrets\" web tools: pasting a secret into a random website *is* the leak. You're trusting a server you can't see.\n\nSo I built [devguard-scan](https://wrg-11.github.io/devguard-scan/) the other way around — it runs 100% in your browser, zero dependencies, and makes **no network calls at all**.\n\n**Don't take my word for it.** Open DevTools → Network, scan a file, and watch zero requests fire. The source has no `fetch`\n\n, `XMLHttpRequest`\n\n, `WebSocket`\n\n, or `sendBeacon`\n\n— grep it yourself. It can't exfiltrate what it never calls.\n\n**The 10 detection rules** (OpenAI, AWS, GitHub classic + fine-grained PAT, Stripe, Google API, Slack token + webhook, private-key blocks, generic assignments) aren't a weaker JS port — they're the exact regex set from a canonical Python scanner, parity-checked byte-for-byte so the convenience of \"in-browser\" doesn't cost you detection coverage.\n\nIt's a POC, MIT-licensed, and open to rule-requests: [github.com/WRG-11/devguard-scan](https://github.com/WRG-11/devguard-scan)\n\nThe broader point: for a security tool, \"trust me\" isn't good enough. The design should make the safety property *verifiable by the user* — here, an empty Network tab. What other dev tools should be provable rather than promised?", "url": "https://wpnews.pro/news/a-client-side-secret-scanner-that-physically-can-t-exfiltrate-your-code-and-why", "canonical_source": "https://dev.to/wrg11/a-client-side-secret-scanner-that-physically-cant-exfiltrate-your-code-and-why-you-shouldnt-1252", "published_at": "2026-05-30 18:49:25+00:00", "updated_at": "2026-05-30 19:11:40.138480+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-products"], "entities": ["OpenAI", "AWS", "GitHub", "Stripe", "Google", "Slack", "devguard-scan", "WRG-11"], "alternates": {"html": "https://wpnews.pro/news/a-client-side-secret-scanner-that-physically-can-t-exfiltrate-your-code-and-why", "markdown": "https://wpnews.pro/news/a-client-side-secret-scanner-that-physically-can-t-exfiltrate-your-code-and-why.md", "text": "https://wpnews.pro/news/a-client-side-secret-scanner-that-physically-can-t-exfiltrate-your-code-and-why.txt", "jsonld": "https://wpnews.pro/news/a-client-side-secret-scanner-that-physically-can-t-exfiltrate-your-code-and-why.jsonld"}}