Self-hosted · keyless · values redacted · nothing stored

Find leaked secrets before attackers do.

Drop a repo and scan every file for hardcoded API keys, tokens, and private keys. It runs on your own box — so you never hand your source, or its secrets, to someone else's cloud.

guardwright · scan● idle
Drop a repo .zip here
or click to choose · scanned in memory, then deleted · secret values are never shown
Scanning for exposed secrets…
Checking every file against 150+ detection rules — a few seconds.
150+ detection rules Redacted — we never display the secret Stateless — nothing written to disk MIT engine (gitleaks)

Catch the mistake that leaks the keys

A hardcoded token in a commit, a .env that slipped into a zip — that's how breaches start. Guardwright finds them so you can rotate before anyone else does.

1

Drop the repo

A .zip of the codebase. We unpack it in an isolated sandbox and never run it.

2

Scan every file

150+ rules for AWS/GCP keys, GitHub & Slack tokens, private keys, JWTs, and generic high-entropy secrets.

3

Rotate what's exposed

A severity-ranked report with file and line — the value itself stays redacted, so the report is safe to share.

Why a secret scanner has to be self-hosted

Think about what a cloud secret scanner asks for: upload your entire source tree — including the secrets — to their servers. That's the one category where "just use our cloud" makes the least sense.

🔒

Secrets never leave

The scan runs on your box. Your keys aren't copied to a third party you now have to trust.

🧹

Nothing is stored

Code is unpacked to a temp dir, scanned, and deleted in the same request. No database, no retention.

🛡️

Redacted by default

Findings show the rule, file, and line — never the secret. The report is safe to paste into a ticket.

Pricing

Scan free in the browser. Upgrade for CI gating, larger repos, and the self-host license.

Free

$0
  • One repo at a time
  • ~6k files
  • Full redacted report
  • Nothing stored
Scan a repo
Popular

Solo

$19/mo
  • Large repos
  • Custom allowlist
  • CLI + CI action
  • Scan history
Start Solo

Team

$99/mo
  • Multi-repo + org
  • PR / CI gate
  • SSO + roles
  • Priority support
Start Team

Self-host

$499once
  • Run on your infra
  • Air-gap friendly
  • Unlimited private repos
  • Updates for 1 year
Get license

Questions

Do you store my code or the secrets? +

No. The zip is unpacked to a temporary directory, scanned, and deleted in the same request. Nothing is written to a database, and secret values are redacted out of the report entirely.

What can it detect? +

150+ rules via the MIT gitleaks engine: AWS/GCP/Azure keys, GitHub/GitLab/Slack/Stripe tokens, private keys, JWTs, and generic high-entropy strings.

Will it flag documentation examples? +

The engine allowlists well-known example keys (like AWS's docs sample) to cut false positives, and the paid tiers let you add your own allowlist.

Can I run it in CI or fully on my own servers? +

Yes — the Solo tier adds a CLI/CI action, and the self-host license runs the whole scanner on your infrastructure, air-gap friendly.