KeyGate
A fast local pre-commit guardrail that stops secrets before they enter git history.
pipx install keygate
keygate activate
That's it. keygate now runs automatically before every git commit.
keygate scans only staged added lines, runs offline, and blocks likely API keys, passwords, tokens, and private keys before a commit is created. Zero configuration required.
日本語 | 中文
Why KeyGate?
- Fast by design: scans only
git diff --cached added lines
- Local-first: no cloud service, no external API calls, no LLM validation
- Low-friction: install once, then keep using
git commit normally
- Practical false-positive handling: inline ignores, allowlists, and baselines
- Agent-friendly: stable JSON output for AI coding agents and automation
Demo
Why this matters
During development, it's easy to write API keys or passwords directly in code. Once committed with git commit, they become permanently embedded in the repository history.
Even if you delete them later, they remain accessible from past commits. Once exposed on GitHub or similar platforms, they can be exploited almost immediately. There are countless cases of AWS key leaks resulting in massive unexpected bills.
keygate blocks the mistake at the local commit boundary, before the secret becomes part of repository history.
How it works
keygate is intentionally narrow. It is not trying to replace full-repository scanners, CI scanners, or cloud security platforms.
Instead, it focuses on the moment right before git commit succeeds:
- Read
git diff --cached
- Extract added lines only
- Combine rule-based detection, entropy checks, and context scoring
- Block high-confidence secrets, warn on lower-confidence findings
The default threshold blocks findings with a score of 70 or higher and warns for scores from 40 to 69.
What it detects
- AWS Access Keys
- OpenAI API Keys
- Anthropic API Keys
- Google API Keys
- GitHub Tokens
- GitLab Personal Access Tokens
- Slack Tokens
- Private Keys (PEM format)
- JWT Tokens
- Stripe Secret and Publishable Keys
- SendGrid API Keys
- npm Access Tokens
- PyPI API Tokens
- Django Secret Keys
- Azure Storage Account Keys
- Azure SAS Tokens
- Hugging Face, Docker Hub, Vercel, Datadog, Discord, Telegram, and Twilio tokens
- Sentry DSNs
- URLs with embedded credentials
Authorization: Bearer ... and decodable Authorization: Basic ... headers- Personal information patterns:
email addresses,
Japanese phone numbers (separator formats like
03-1234-5678 and 090-1234-5678,
no-separator mobile numbers starting with 090/080/070/050,
parenthesized formats like (03)1234-5678 and 03(1234)5678,
international format +81-..., and optional extension suffixes like ext. 123 or 内線 456),
credit card numbers including JCB,
US SSNs, IBANs (compact and space-grouped formats, case-insensitive),
and UK National Insurance numbers (compact AB123456C and spaced AB 12 34 56 C)
- Long random-looking strings (high-entropy detection)
- Variable names like
api_key, password, secret paired with values
PII-only findings are reported as warnings, not commit-blocking errors. If the
same line also contains strong non-PII secret signals that reach the block
threshold on their own, the finding may still block the commit.
How is this different from Gitleaks or TruffleHog?
keygate is not a replacement for full repository, history, CI, or cloud secret scanning.
It is a lightweight local guardrail for the moment right before a commit is created.
| Tool | Best for |
|---|
| KeyGate | Fast local pre-commit checks on staged changes |
| Gitleaks | Full repository, history, CI, and configurable rule scanning |
| TruffleHog | Deep secret discovery and verification workflows |
Use keygate when you want a small commit-time check that developers will actually keep enabled.
Getting started
Step 1: Install
keygate is a Python CLI tool. The easiest way to install it is via pipx.
pipx install keygate
