skip to content
fizzgig
sign in
// product
code auditdetect what shippedbrand and reachsoonlift qualityperfect memorysoondecision graph
// build better
sourdough startersproject kicks-off in 1 prompt
// resources
pricingdocsblogabout
sign inrequest access →
audit suite/security/secret_leak_finder
securityv0.9.0free

fizzgig__secret_leak_finder

finds hardcoded api keys, tokens, and provider secrets in your source.

// ai does this over time

you paste a key from supabase to test something. the AI scaffolds your code around it. three commits later the live key is in your public repo. by the time github's secret scanner catches it, it's already on someone's screen.

// the tool does

scans against 29 distinct credential patterns: auth providers (Supabase JWT/secret/publishable), payment processors (Stripe live/test/restricted), AI APIs (OpenAI, Anthropic), code hosting (GitHub PAT/fine-grained/app), cloud providers (AWS access+secret, GCP service account), communications (Slack, Twilio, SendGrid, Mailgun, Resend), cryptographic primitives (PEM keys, JWT bearers), database URIs (postgres://, mongodb+srv://), framework footguns (NEXT_PUBLIC_-prefixed admin keys), plus a generic catch-all.

// so you can

don't be the founder whose stripe live key sits in the readme. runs before the commit lands — sticky tool, before every deploy.

● live● v0.9.0● free
// input schema
schema · application/json
{
"type": "object"
"required": [
"project"
]
"properties": {
"project": {
"type": "string"
"description": "the project slug or path"
}
"strict": {
"type": "boolean"
"default": false
"description": "fail on warnings, not just errors"
}
}
}
// output schema
schema · application/json
{
"type": "object"
"properties": {
"ok": {
"type": "boolean"
}
"findings": {
"type": "array"
"items": {
"type": "object"
"properties": {
"severity": {
"enum": [
"info"
"warn"
"high"
"critical"
]
}
"message": {
"type": "string"
}
"fix": {
"type": "string"
}
}
}
}
}
}
// example call from cursor
~/myapp — example output
→ fizzgig__secret_leak_finder(project="myapp")
{
"ok": false,
"findings": [
{ "severity": "high",
"message": "policy uses user_id without auth.uid()",
"fix": "USING (auth.uid() = user_id)" }
],
"scanned": 3, "duration_ms": 142
}
// reviews
@maya.codes★★★★★
2 days ago

caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.

@solo_at_3am★★★★★
1 week ago

first tool i installed. it's the one that pays for itself.

@vibebuilder★★★★☆
2 weeks ago

works great. one false positive on a join table — easy to ignore.

// primary action
add to your editor
paste this into your mcp config.
.cursor/mcp.json
{
  "fizzgig": {
    "url": "https://mcp.fizzgig.ai",
    "tools": ["secret_leak_finder"]
  }
}
full setup guide →
// pricing
free
unlimited calls on the free tier.
// related tools
rls_checker
v0.6.0
→
env_auditor
v0.4.0
→
dep_audit
v0.5.0
→
fizzgig

the fluffy guardian of vibe-coded apps. growls at insecure code so you don't have to.

all systems operational

product

code auditbrand and reach (soon)perfect memory (soon)pricingdocschangelog

community

sourdough startersdiscord (soon)github (soon)x / twitter (soon)rss (soon)

company

aboutcontactterms (soon)privacy
© 2026 fizzgig labs.
v1.4.2 · 2026-05-01