fizzgig__secret_leak_finder
finds hardcoded api keys, tokens, and provider secrets in your source.
you paste a key from supabase to test something. the AI scaffolds your code around it. three commits later the live key is in your public repo. by the time github's secret scanner catches it, it's already on someone's screen.
scans against 29 distinct credential patterns: auth providers (Supabase JWT/secret/publishable), payment processors (Stripe live/test/restricted), AI APIs (OpenAI, Anthropic), code hosting (GitHub PAT/fine-grained/app), cloud providers (AWS access+secret, GCP service account), communications (Slack, Twilio, SendGrid, Mailgun, Resend), cryptographic primitives (PEM keys, JWT bearers), database URIs (postgres://, mongodb+srv://), framework footguns (NEXT_PUBLIC_-prefixed admin keys), plus a generic catch-all.
don't be the founder whose stripe live key sits in the readme. runs before the commit lands — sticky tool, before every deploy.
caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.
first tool i installed. it's the one that pays for itself.
works great. one false positive on a join table — easy to ignore.
{
"fizzgig": {
"url": "https://mcp.fizzgig.ai",
"tools": ["secret_leak_finder"]
}
}