mpx-secrets-audit
Your API keys are probably in a git repo somewhere. Find them before someone else does.
npm i -g mpx-secrets-audit
What it does
Scan codebases for leaked secrets, track API key lifecycles, monitor rotation schedules, and generate compliance reports.
Secret Scanning
Find API keys, tokens, passwords, and credentials in code, config files, and git history. High-accuracy pattern matching with minimal false positives.
Lifecycle Tracking
Track when secrets were created, when they expire, when they were last rotated. Never let an API key sit for 3 years again.
Rotation Alerts
Get notified when secrets are approaching rotation deadlines or have been in use too long. Proactive secret hygiene.
Compliance Reports
Generate audit reports for SOC 2, ISO 27001, PCI DSS. Prove you're managing secrets properly. Export to JSON, CSV, or PDF.
Multi-Environment
Track secrets across dev, staging, production. Ensure prod secrets aren't leaking into dev environments.
AI-Native
MCPMCP (Model Context Protocol) โ lets AI assistants like Claude and GPT use CLI tools directly. server mode, --json output, --schema discovery. Your AI can audit secrets and suggest rotations.
$ mpx-secrets-audit scan --path ./project
๐ Scanning ./project for secrets...
Found 4 potential secrets:
โ AWS Access Key
File: config/aws.yml
Line: 12
Pattern: AKIA[0-9A-Z]{16}
Severity: HIGH
โ Stripe API Key
File: .env.example
Line: 8
Pattern: sk_live_[a-zA-Z0-9]{24}
Severity: CRITICAL
โ GitHub Token (safe - in .gitignore)
File: .env
Line: 3
Pattern: ghp_[a-zA-Z0-9]{36}
Severity: LOW (ignored)
โ Database Password
File: docker-compose.yml
Line: 22
Pattern: Hardcoded password
Severity: MEDIUM
Scan complete. 3 issues require attention.$ mpx-secrets-audit audit --env production
Production Secret Audit Report
Generated: 2026-02-16 19:00:00
Secret Inventory:
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโ
โ Secret โ Created โ Last Rotate โ Expires โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ AWS_ACCESS_KEY โ 2025-06-12 โ 2026-01-10 โ 2026-06-10 โ
โ STRIPE_API_KEY โ 2024-11-03 โ Never โ N/A โ
โ DB_PASSWORD โ 2025-08-20 โ 2025-11-15 โ N/A โ
โ GITHUB_TOKEN โ 2026-01-05 โ N/A โ 2026-07-05 โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโ
โ Recommendations:
- STRIPE_API_KEY: Never rotated (467 days old)
- DB_PASSWORD: Last rotated 93 days ago (rotate every 90 days)$ mpx-secrets-audit scan --path ./project --json
{
"scan_timestamp": "2026-02-16T19:00:00Z",
"path": "./project",
"findings": [
{
"type": "aws_access_key",
"file": "config/aws.yml",
"line": 12,
"severity": "high",
"recommendation": "Move to environment variable or secrets manager"
},
{
"type": "stripe_api_key",
"file": ".env.example",
"line": 8,
"severity": "critical",
"recommendation": "Remove from .env.example, use placeholder"
}
],
"summary": {
"total_files_scanned": 342,
"total_secrets_found": 4,
"critical": 1,
"high": 1,
"medium": 1,
"low": 1
}
}$ mpx-secrets-audit report --format pdf --output audit-report.pdf
Generating compliance report...
โ Secret inventory collected
โ Rotation history analyzed
โ Access patterns reviewed
โ Multi-environment check complete
Report saved: audit-report.pdf
Report includes:
- Secret inventory (all environments)
- Rotation compliance (90-day policy)
- High-risk findings
- Remediation recommendationsFree vs Pro
| Feature | Free | Pro |
|---|---|---|
| Basic secret scanning | โ | โ |
| JSON output & MCP server | โ | โ |
| Scans per day | 10 | Unlimited |
| Lifecycle tracking | โ | โ |
| Rotation alerts | โ | โ |
| Multi-environment audit | โ | โ |
| Compliance reports (PDF/CSV) | โ | โ |
Related Tools
Scan for security issues on websites.
Test APIs that use the secrets.
Find database credentials in config.
โ ๏ธ mpx-secrets-audit helps find secrets but cannot guarantee 100% detection. Always use dedicated secrets management solutions for production systems.