Unlike repo scanners (TruffleHog, Gitleaks), this scans what's actually live. What an attacker sees when they view source or probe common paths.
Tested it on 20 sites from Hacker News over the last two days. All indie projects, side hustles, Show HN launches.
Results:
- 1 site had 6 actual secrets (1 cloud credential, 5 API keys)
- 5 sites (25%) had exposed API documentation (/swagger, /graphql, /api-docs)
- 2 sites had critical-level endpoint exposure
- 100% scan consistency on re-tests
The site with secrets wasn't some abandoned project. It launched recently. The founders probably don't know.
What the scanner checks:
1. Secret Scanner - patterns matching AWS, Stripe, Firebase, generic API keys in your compiled JS
2. Ghost API Hunter - probes for /swagger, /api-docs, /graphql, debug routes
To be clear: not every pattern is a real secret. Firebase client configs are public by design. The tool flags patterns worth investigating.
If you want to see it work before scanning your own site, try wirier.com it's a demo site I built with intentionally planted secrets.
Free. No signup. one click scanning.
Curious what others find on their own sites.