Secure your code repositories by detecting and removing sensitive information from git history

📖 Documentation • 🚀 Quick Start • 📸 Screenshots • 🛠️ Development

Leak Lock is a powerful VS Code extension that helps developers secure their repositories by:

• 🔍 Scanning git repositories for secrets, API keys, and sensitive data
• 🛡️ Detecting over 100+ types of credentials using Nosey Parker
• 🔧 Removing secrets from git history using BFG tool
• ⚡ Automating the complete security remediation workflow
• 📊 Displaying results in an intuitive main area interface

• 100+ Secret Types: API keys, passwords, tokens, certificates
• Low False Positives: Advanced pattern matching and validation
• Git History Scanning: Deep analysis of entire repository history
• Multiple Formats: JSON, database connections, configuration files

• Main Area Display: Wide layout perfect for scan results
• Activity Bar Integration: Easy access via shield icon
• Smart Directory Selection: Auto-detects git repositories
• Progress Tracking: Real-time scanning and remediation progress
• Remove Files Flow: Sidebar button opens guided removal UI in main area
• Path-Based Safe Removal: Exact path deletion across branches with preview
• Results Export: Export findings to JSON or print/save as PDF directly from the results view

• One-Click Dependency Install: Docker, Nosey Parker, BFG tool
• Intelligent Scanning: Context-aware repository analysis
• Guided Remediation: Step-by-step secret removal process
• Git History Cleanup: Automatic history rewriting and cleanup
• Granular Deletion Feedback: Per-item BFG flags and patterns preview
• Preview Before Delete: Show exact matches across branches, remotes, and tags for path-based deletions
• Auto-Fetch Remotes: Fetches all remotes and tags before preview and execution

# Install from VS Code Marketplace
code --install-extension nikolareljin.leak-lock

# Or install from VSIX
code --install-extension leak-lock-0.0.1.vsix

• Activity Bar: Click the 🛡️ shield icon
• Command Palette: Ctrl+Shift+P → "Open Leak Lock Scanner"
• Status Bar: Click the shield icon

• Click "🔧 Install Dependencies" on first use
• Installs Docker images, BFG tool, and requirements
• One-time setup with progress tracking

• Auto-Detection: Git repositories selected automatically
• Manual Selection: Choose any directory to scan
• Review Results: Examine detected secrets in detailed table

• Select Secrets: Choose which ones to remove
• Generate Commands: Automatic BFG command generation
• Execute Cleanup: One-click git history rewriting

• Export JSON: Save all current findings and metadata to a .json file
• Print / Save as PDF: Use the print-friendly view from scan results for PDF reports
• Share Findings: Attach exports to tickets, audits, or remediation docs

• Open VS Code settings for Leak Lock.
• Enable leakLock.gitHistoryKeywordSearch.enabled.
• Configure keywords in leakLock.gitHistoryKeywordSearch.keywords.
• Optionally tune:
  • leakLock.gitHistoryKeywordSearch.searchCommitMessages
  • leakLock.gitHistoryKeywordSearch.searchFileHistory
  • leakLock.gitHistoryKeywordSearch.searchFileNames
  • leakLock.gitHistoryKeywordSearch.maxMatchesPerKeyword
  • leakLock.gitHistoryKeywordSearch.shortKeywordFileHistoryMaxCount

Note: leakLock.gitHistoryKeywordSearch.searchFileNames is disabled by default (opt-in) because it can increase scan time on large repositories.

Default keyword profile (designed for attribution-policy and secret hygiene):

• Agent/AI attribution terms: agent, assistant, claude, codex, copilot, gemini, gpt, chatgpt, openai, anthropic, aider, cursor, windsurf, meldbot, openclaw, nanoclaw
• Sensitive terms: password, token, api_key, secret The keyword list can include arbitrary text terms and filename fragments, not only predefined security words.

Example use case:

• Detect commit messages that mention coding agents.
• Detect potentially sensitive terms in historical file changes.
• Detect historical filenames that include specific terms (for example id_rsa, secrets, or custom naming conventions).

• Open from sidebar: click "🗑️ Remove files"
• Select repository (git root)
• Choose multiple files and/or directories
• Option A (fast): BFG, name-based grouping (single or per-item)
• Option B (safe): Git path-based, exact paths across branches
• Click "🔎 Preview matches" for path-based mode to see exact files across branches, remotes, and tags
• Remotes are fetched automatically to avoid missing references
• Prepare and review the generated command
• Final step (red): confirm to run (BFG or Git) and rewrite history

The extension adds a shield icon to the activity bar for easy access.

Simple welcome interface in the sidebar with a "Open Scanner" button.

"Leak-Lock" scanner button:

Full-width main area interface showing:

• Dependency installation status

• Directory selection with auto-detection
• Scanning controls and progress
• Results display in wide table format

This allows searching Git Commit history for messages with certain content. It could be useful when determining if any credentials or keywords unwillingly went out.

Real-time progress indication during repository scanning with Nosey Parker.

In case of found issues - like with these demo files:

Detailed table showing:

• Secret type and severity
• File location and line number
• Preview of detected content
• Action buttons for remediation

Step-by-step process for removing secrets:

• Secret selection checkboxes
• Replacement value input
• BFG command generation
• Git cleanup execution

leak-lock/
├── extension.js              # Main extension entry point
├── leakLockPanel.js          # Main area panel provider
├── welcomeViewProvider.js    # Activity bar welcome view
├── project-scan.js           # Legacy compatibility
├── package.json              # Extension manifest
├── media/
│   └── shield.svg            # Extension icon
└── docs/                     # Documentation files

• Main extension activation and command registration
• Dependency management and cleanup
• Status bar integration

• Main area webview panel provider
• Scanning workflow implementation
• Results display and remediation UI

• Activity bar sidebar integration
• Welcome interface and launch button

See also:

• docs/USER_GUIDE.md — full user guide
• docs/REMOVE_FILES.md — Remove Files flow details

• Node.js 16+
• VS Code 1.96.0+
• Docker (for testing scanning functionality)

# Clone repository
git clone https://github.com/nikolareljin/leak-lock.git
cd leak-lock

# Install dependencies
npm install

# Launch in development mode
code . # Press F5 to launch extension host

# Run tests
npm test

# Manual testing
# 1. Press F5 to launch extension host
# 2. Click shield icon in activity bar
# 3. Test dependency installation
# 4. Test scanning workflow

• Purpose: Secret detection and scanning
• Project: Nosey Parker by Praetorian — https://github.com/praetorian-inc/noseyparker
• Image: ghcr.io/praetorian-inc/noseyparker:latest
• Why it’s good: High-precision detection with 100+ well‑maintained rules, fast scanning, low false positives, and active community support.
• Integration: Containerized execution for portability and consistency across platforms

• Purpose: Git history rewriting and cleanup
• Project: BFG Repo-Cleaner — https://rtyley.github.io/bfg-repo-cleaner/
• Tool: Java-based command line utility
• Why it’s good: Safer, faster alternative to git filter-branch for removing large files or sensitive data from history; robust, battle‑tested, and widely recommended.
• Capabilities: Remove secrets from entire git history, delete files/folders by name
• Integration: Automated command generation and execution
• Note: Deletion matches by filename/folder name across history (not full path)

• Seamless integration: Combines Nosey Parker (detection) and BFG/git (removal) into a single VS Code experience.
• Safer defaults: Previews, path‑based alternative, and confirmation steps reduce risk.
• Productivity: One panel to scan, review, prepare commands, and execute — no shell juggling.
• Cross‑platform: Dockerized scanning and built‑in helpers make it reliable on Windows, macOS, and Linux.

• Purpose: Exact path-based history rewriting across branches
• Command: git filter-branch --index-filter 'git rm -r --cached --ignore-unmatch <path> ...' -- --all
• Preview: Lists per-branch matches before running
• Integration: Alternative path-safe removal flow in main panel

• leak-lock.openPanel - Open main scanner interface
• leak-lock.scanRepository - Start repository scanning
• leak-lock.fixSecrets - Open remediation interface
• leak-lock.openRemoveFiles - Open Remove Files flow
• leak-lock.cleanup - Clean up all dependencies

• Docker: Container runtime for Nosey Parker
• Java: Runtime for BFG tool (auto-detected)
• Git: Version control operations

The extension provides comprehensive cleanup functionality:

• Removes Nosey Parker Docker image
• Deletes BFG tool jar file
• Cleans up temporary files and directories
• Removes Docker volumes created by extension

Use command palette: Leak Lock: Clean Up Dependencies

We welcome contributions! Areas for improvement:

• 🔍 Additional secret detection patterns
• 🎨 UI/UX enhancements
• 📖 Documentation improvements
• 🧪 Test coverage expansion

• ✨ Initial release with core functionality
• 🛡️ Main area interface for wide result display
• 🔧 Automated dependency installation
• 🎯 Smart directory selection for git repositories
• 🧹 Complete cleanup on uninstall

MIT License - see LICENSE file for details.

• 📖 Documentation - Comprehensive guides
• 💬 Issues - Bug reports
• 📧 Contact: Create an issue for support

Made with ❤️ for secure development