knurl / secret & config scanner

Catch leaked keys & misconfigs before you ship.

Ask an AI to check a config for leaked secrets and it guesses. A scanner doesn't. Paste a .env, docker-compose.yml, nginx config, or any blob — get a severity-ranked report of what leaked, where, why it's risky, and how to fix it.

Your input never leaves this page. The scan runs entirely in your browser with the same deterministic engine our assistant connectors use — no upload, no network call, nothing stored. Open your browser's Network tab and watch: scanning makes zero requests.

Scan now ● runs in your browser

⌘/Ctrl + Enter to scan · nothing is uploaded

Awaiting scan — paste a config and press Scan.

How it works

  1. Paste a config or code snippet above (or load the example).
  2. The scanner runs fixed pattern + entropy rules locally and lists every match by severity.
  3. Each finding shows the location, a redacted preview, why it's risky, and a concrete fix.

What it detects

Secrets

AWS/GCP/Azure, Stripe, GitHub/GitLab, OpenAI/Anthropic/Gemini/Hugging Face/Groq/Replicate, private keys, JWTs, database URIs, and high-entropy strings.

Misconfigs

Debug mode on, 0.0.0.0 binds, disabled/weak TLS verification, privileged containers, default and weak passwords.

Low false positives

Curated, high-confidence rules. Placeholders, UUIDs, git SHAs, and hashes are filtered so the result is trustworthy.

Use it inside your AI assistant

The same scanner runs as a connector — ask "any leaked secrets or misconfigs here?" right in your chat.

ChatGPT

Add the knurl Secret Scanner app, then paste & ask. (Directory link coming at launch.)

Claude & Cursor

Add the MCP server https://mcp.knurl.tools/mcp in your client. Setup ships with the connector.

Pricing

Free

$0
  • Unlimited in-browser scans
  • Full secret + misconfig ruleset
  • Deterministic & private — no account
Use it above

Pro

Coming soon
  • Batch / whole-repo scans
  • CI & pre-commit checks
  • Saved scan history & trends
Join the waitlist

Billed on our own checkout — your account and receipts stay with knurl, not the assistant platform.

FAQ

Does my config get uploaded?

No. On this page the scan runs entirely in your browser using WebAssembly-free JavaScript — there is no server call. You can verify it in your browser's Network tab.

Is it deterministic?

Yes. It's fixed rules plus entropy analysis, not a language model. The same input always produces the same findings.

What's the difference between this and asking ChatGPT directly?

An LLM reads text linearly and can miss or hallucinate secrets. A scanner applies exhaustive rules every time. The knurl connector gives the assistant a real scanner to call instead of guessing.

Should I paste a real production secret?

You can — it never leaves your browser — but rotate anything the scanner flags. Treat a flagged secret as already exposed.