Heimdall
Heimdall ScanOpen Beta
CriticalFreeSecrets & Credentials

Exposed API keys and secrets in your code

An exposed API key is any credential, like a Stripe secret key, an OpenAI token, or a database password, that ends up committed to your source code instead of staying in an environment variable. It is the single most common security mistake in vibe-coded projects, and also the most expensive one.

#What goes wrong

When you ask Cursor or Lovable to wire up Stripe or OpenAI, the AI sometimes pastes the actual key into the code rather than referencing process.env. Once that file is pushed to GitHub, the key is public. Bots constantly scrape new commits looking for these patterns. The window between a push and the first abuse is often measured in minutes.

#Why it matters

A stolen OpenAI key can burn through a thousand dollars of credit overnight. A stolen Stripe key gives the attacker the ability to issue refunds, view customer data, or scrape your payment history. A stolen AWS key has been known to spin up bitcoin miners that leave founders with five-figure bills before AWS pauses the account.

#How Heimdall checks for this

Heimdall runs your entire repository through 20+ known credential patterns covering OpenAI, Stripe, AWS, GitHub, Google, Slack, Twilio, SendGrid, Mailgun, MongoDB, Postgres, MySQL, Redis, and private keys. It also runs a high-entropy pass that catches custom or unusual secrets stored in variables named things like apiKey, token, or password. Every candidate is then verified by an AI step that rules out placeholder values from documentation or tests.

#How to fix it

If a real key is found, rotate it immediately at the provider's dashboard. The old key has to be assumed compromised even if you delete the file, because git history keeps the old version. Then move the secret to an environment variable and add a line to .gitignore so it cannot happen again. Heimdall generates a fix prompt you can paste straight into Cursor or Lovable that walks the AI through all three steps.

Frequently asked questions

If I delete the file from the next commit, am I safe?

Does this only matter for public repos?

What's the difference between a publishable key and a secret key?

Run this check on your own repo

Heimdall scans your GitHub repo for this and 16 other issues in under a minute.