Continuous scanning of your GitHub repos, the full commit history, and your public web surface for exposed API keys, tokens, and connection strings. Every finding is tested against the issuing service before any alert fires — so your team gets paged for live keys, not regex false positives.
Scans every commit ever made to the repos you authorise — not just HEAD. Catches keys committed, deleted, and force-pushed but still reachable in history.
Discovers subdomains via certificate-transparency logs, crawls them, de-minifies JavaScript bundles. Finds the AWS keys your last deploy accidentally shipped to the browser.
18 service-specific validators (OpenAI, AWS, Stripe, GitHub, Slack, Datadog…) test every finding against the issuer. Each verdict carries a confidence — corroborated by two independent probes.
Slack, PagerDuty, OpsGenie, Jira, Linear, signed webhook. When you resolve a finding in CredWatch, the corresponding incident or ticket closes automatically.
Most secret scanners alert on every regex hit. CredWatch only alerts on confirmed-live keys, with a confidence verdict you can act on.
Every validator runs a primary probe and an independent corroborator before flagging a key as live. A flaky 401 doesn't trigger auto-resolution; a flaky 200 doesn't trigger a page. You see high, medium, or low on every finding.
The most common leak isn't a key currently committed — it's one that was force-pushed away. CredWatch walks the full git log and catches both. Even keys you thought you'd already cleaned up.
We persist at most 8 plaintext characters per match (sk-a1****cd34 shape). The full secret never enters our database — so even a CredWatch breach can't expose your customers' keys.
Session timeout, MFA, audit log, encryption at rest, dependency scanning, daily backups with tested restore, incident-response runbook. EU-hosted (Hetzner Germany) for cleaner GDPR.
No sales call. No procurement form. Just paste a token and watch.
Email + password. Free tier ready to scan immediately.
Read-only PAT, AES-256 encrypted at rest. We enumerate every repo it can see — you toggle which to scan.
Repos, commit history, web surface — all in parallel. Live progress on the Scans page. Findings appear as they're confirmed.
Confirmed live keys page on-call immediately; lower-severity findings batched into a daily 08:00 UTC digest. Remediation steps included.
Paste any public repo URL. We'll scan its default branch and show what we find in about 30–60 seconds. No data is stored beyond an hour and we don't contact you about results unless you sign up.
Scans the default branch only · capped at 200 files, 90 seconds, 3 scans/hour per IP · pattern detection only (sign up to validate findings against the issuer).
Every plan ships with the same detection engine and the same 18 validators. You're paying for scale and integration depth — never for finding accuracy.
Yearly billing available with ~17% discount on Starter and Growth. All plans subject to our Terms, Privacy Policy, and Data Processing Agreement.
For procurement, custom retention, SSO, self-hosted deployments, or contractual SLAs. We'll respond within one business day.
Sign up in 60 seconds. First scan running in 10 minutes. Free forever for small teams.