ov scan
import { Aside } from ‘@astrojs/starlight/components’;
ov scan finds secrets committed or staged in your codebase. It runs entirely on your machine — no network calls, no telemetry, no account required.
ov scan [path] [flags]path defaults to the current directory if omitted.
What it detects
Section titled “What it detects”| Type | Examples |
|---|---|
| AWS access keys | AKIA[0-9A-Z]{16} |
| AWS secret keys | High-entropy 40-char strings adjacent to AWS key |
| GitHub tokens | ghp_, github_pat_, gho_, ghs_ prefixes |
| Stripe keys | sk_live_, sk_test_, rk_live_ |
| Private keys | -----BEGIN RSA PRIVATE KEY-----, -----BEGIN EC PRIVATE KEY----- |
| JWT tokens | Three-part base64url strings with valid header |
| Postgres DSNs | postgres://user:password@host |
| MySQL DSNs | mysql://user:password@host |
| MongoDB URIs | mongodb+srv://user:password@cluster |
| High-entropy strings | Shannon entropy > 4.5 bits/char, length > 20 |
The same detection engine powers the MCP context interceptor — patterns that catch committed secrets also catch accidental pastes in Claude Code.
Output
Section titled “Output”FOUND 3 leaked secret(s) in your repo.
scripts/deploy.sh:31 aws-access-key AKIA************MPLE config/database.yml:14 postgres-dsn postgres://admin:p*****@prod... .env.backup:3 stripe-secret-key sk_live_********************
Store them safely: ov secret set AWS_ACCESS_KEY ov secret set POSTGRES_DSN ov secret set STRIPE_SECRET_KEY
→ https://opaquevault.com/docs/getting-started/quickstartPreviews are redacted — OpaqueVault never logs or transmits the full value.
| Flag | Description |
|---|---|
--fix | Interactively store found secrets in OpaqueVault and print git history cleanup instructions |
ov scan —fix
Section titled “ov scan —fix”--fix walks you through storing every detected secret in OpaqueVault and then tells you exactly how to remove them from git history.
ov scan . --fixYou must be logged in (ov auth login) before running --fix. If you’re not, it will print a link to register and exit.
The flow:
- Scan runs as normal and shows all findings
- For each unique secret type found, you’re prompted for a name (defaults to the detector name, e.g.
STRIPE_SECRET_KEY) — press enter to accept, type a custom name, or-to skip - You enter your master password once — it’s reused for all secrets in the session
- Each secret is encrypted locally and stored in OpaqueVault
- After storing, exact
git filter-repocommands are printed for each affected file, along with force-push instructions
Example session:
FOUND 2 leaked secret(s) in your repo.
.env.backup:3 stripe-secret-key sk_live_******************** scripts/ci.sh:8 aws-access-key AKIA************MPLE
Found 2 secret type(s). Let's store them in OpaqueVault.App: my-saas
Master password: ••••••••••••[stripe-secret-key] Secret name (default: STRIPE_SECRET_KEY, enter to skip):Value for "STRIPE_SECRET_KEY": •••••••••••••••••••••••••••• ✓ "STRIPE_SECRET_KEY" stored[aws-access-key] Secret name (default: AWS_ACCESS_KEY, enter to skip): AWS_ACCESS_KEY_IDValue for "AWS_ACCESS_KEY_ID": •••••••••••••••••••• ✓ "AWS_ACCESS_KEY_ID" stored
✓ 2 secret(s) stored in OpaqueVault.
Next: remove them from your git history.If you don't have git-filter-repo installed: pip install git-filter-repo
For each file containing leaked secrets: git filter-repo --path .env.backup --invert-paths git filter-repo --path scripts/ci.sh --invert-paths
Then force-push to update the remote: git push --force-with-lease
Note: notify any collaborators to re-clone after a force-push.
→ https://opaquevault.com/docs/getting-started/scan-fixFalse positives
Section titled “False positives”High-entropy detection may occasionally flag random-looking strings that aren’t secrets (e.g., hashed IDs, UUIDs, base64-encoded config). These are skipped automatically when running --fix — just enter - when prompted for the name.
How it’s different from GitGuardian / truffleHog
Section titled “How it’s different from GitGuardian / truffleHog”ov scan is not trying to replace dedicated secret scanning platforms. It’s a local, instant, zero-friction tool designed for one purpose: get developers to discover they have a problem, and immediately give them a path to fix it with OpaqueVault. No SaaS required, no data leaves your machine.