At Clutch Security, we thrive in the realm of securing non-human identities. But every now and then, we find ourselves itching to do something a little different—something that’s more about giving back to the community and less about the bottom line. That’s exactly what led us to create our new VSCode extension for detecting secrets directly in the IDE—a small but powerful tool for developers and security teams alike.
Let’s get this out of the way: we’re not expecting this extension to go viral or become a household name in developer tools. But it is our way of addressing a persistent gap we’ve seen in the security landscape—and maybe, just maybe, it’s something that will make your life a little easier. Whether you’re a developer trying to stay ahead of security best practices or a security team operating on a shoestring budget, this is for you.
Secrets in Code – A Tale as Old as Time
Developers are human, and humans make mistakes. (If only the Non-Human Identities we secure were as predictable!) The truth is, secrets have a funny way of ending up in code. API keys, access tokens, database credentials—you name it, we’ve all seen it where it shouldn’t be.
The moment these secrets escape into a public repo, CI/CD logs, or Slack messages, they become a liability. Secret scanning tools exist, sure, but most operate in the later stages of the lifecycle: Git hooks, CI pipelines, or centralized platforms. By then, the secret’s already sitting on your hard drive, staring back at you in your IDE.
That’s where our extension comes in: it catches secrets right at the source—while you’re coding.
Built on Gitleaks: Proven Secret Detection
We wanted to create something that developers and security teams could trust right out of the gate. That’s why we built our extension on top of Gitleaks, the industry-standard open-source tool for detecting secrets in Git repositories. By bringing Gitleaks' powerful detection capabilities into the IDE, we’re empowering developers to identify issues earlier in the process, making remediation faster and easier.
With support for common patterns like AWS access keys, API tokens, database credentials, and more, the Clutch Security VSCode extension gives you real-time feedback as you code, without adding friction to your workflow.
What the Extension Does (and Doesn’t Do)
Here’s the deal: this extension isn’t trying to replace heavyweight secret management or scanning tools. It’s not a Swiss Army knife; it’s more like a very sharp needle for a very specific problem.
What it does:
- Detects hardcoded secrets in your IDE before they hit your Git repository.
- Supports a variety of common patterns, including AWS access keys, API tokens, database passwords, and more.
- Offers a simple, lightweight interface that doesn’t get in your way while coding.
What it doesn’t do:
- Replace robust secrets management tools like HashiCorp Vault or AWS Secrets Manager.
- Scan your entire repo or CI pipeline.
- Solve every problem in the universe (we’ll leave that to open-source superheroes).
See It in Action
Curious to see how it works? Check out the demo video below for a quick walkthrough of the extension in action. You’ll see just how easy it is to integrate into your workflow and start catching secrets before they become problems.
Why We Built This: For Security Teams Without a Budget (and Developers Who Care)
Not every organization can afford enterprise-grade secret scanning tools, let alone implement them at scale. And even when those tools exist, they often don’t extend all the way to the developer’s IDE. That’s where the gap lies: there’s no budget-friendly, developer-friendly way to empower devs to catch these issues themselves, in real-time.
We built this extension for:
- Security teams who want a lightweight way to improve awareness among developers without breaking the bank.
- Developers who care about security but don’t want a tool that feels like a chore.
- The community—because we believe that making security accessible makes everyone safer.
Why This Matters (Even If It’s Not Groundbreaking)
Sure, this extension isn’t going to change the world. But it might change a conversation in your organization. Imagine a developer discovering a leaked API key before it becomes a ticket in the security queue. Or a security engineer demonstrating to their devs how secrets can easily slip through the cracks—and how to catch them early.
It’s a small tool, but it’s a step toward something bigger: shifting left in the most literal sense, bringing security into the places where developers live.
How to Get Started
It’s open-source, it’s on GitHub, and it’s waiting for you to try it. Head over to our GitHub repository to install the extension and see it in action. Whether you’re a solo developer or part of a team, we’d love to hear your feedback and ideas for improvement.
A Parting Thought
We know this extension isn’t a silver bullet, and that’s okay. What matters is the mindset it fosters—thinking about security at the earliest stages of development, right in your IDE. If it helps even one developer prevent a secret from slipping into the wild, we’ll consider it a win.
Give it a spin. Tinker with it. Laugh at the quirks. And most importantly, let’s keep building a safer, smarter community together.