SecAPI: Secure, AI-Driven API Key Management & Leak Prevention

A developer overhauled the abandoned SecAPI CLI prototype into a production-ready, zero-trust API key management tool that prevents credential leaks in repository files. The revamped utility features AI-driven scanning, smart code rewriting that preserves variable names and formatting, environment-specific vaults, and a git pre-commit hook that blocks commits containing unencrypted secrets. The project also replaced weak custom encryption with standard key derivation functions, added master password recovery, and implemented a secure installation script.

This is a submission for the GitHub Finish-Up-A-Thon Challenge SecAPI is a local-first, zero-trust CLI utility and key manager designed to make code security the easiest developer path. Exposing secrets like Stripe, OpenAI, or AWS keys in repository files is one of the most common causes of credential leaks. Often, developers resort to plaintext .env files that can be accidentally staged and pushed, or struggle with complex vault set-ups. SecAPI solves this with a seamless three-step command line workflow: load key "key name" —preserving variable names, indentation, and comments.It means we can keep our code secure, separate environments easily, and prevent pushes with unencrypted credentials—all without relying on cloud-based vault hosts. Check out the interactive scrollytelling page on secapi.netlify.app https://secapi.netlify.app/ to see the simulator type out and execute the CLI commands scanning, setting up vaults, applying smart code rewrites, checking the status board, and running the git pre-commit hook in real-time as you scroll SecAPI was an abandoned CLI prototype. It was un-installable due to file packaging typos, suffered from weak vault security a custom padding scheme instead of a standard key derivation function , had no recovery options if the master password was lost, and used a basic console print command to list keys. Furthermore, the AI scanner relied on outdated OpenAI package versions, creating environment conflicts. I gave the project a complete, ground-up overhaul to turn it into a premium, production-ready tool: install.sh that auto-detects pipx or pip to set up the CLI globally. secure.py with standard secapi recover without losing stored secrets. fixer.py to target only the string literal RHS of leaked assignments, leaving variable names LHS , indentation, and comments untouched. urllib library. Implemented secapi init-hook to install an executable git hook. It scans staged changes in a non-interactive mode and blocks commits if unencrypted secrets are introduced. Active , 🟡 Rotate Soon , 🔴 Expired . dev , staging , and prod vaults via CLI flags --env and environment variables SECAPI ENV . pytest .GitHub Copilot was an invaluable partner in reviving this codebase: cryptography library, ensuring the migration path was mathematically sound and didn't lose any legacy keys. urllib.request code for multi-part JSON API calls can be verbose. Copilot sped up the creation of the Gemini client, making it clean and robust against empty API responses.dev to username: binayak jha