// open source · self-hosted

Find leaked keys, then close the loop.

keyhound is a single binary (plus an optional local dashboard) for hunting credentials in GitHub search results, front-end bundles, and local trees. It can validate many key types against vendor APIs, generate curl-style proof snippets, draft disclosure text, and run a scheduled diff from your own repo — no vendor lock-in.

get started see it in action free cheatsheet
147
regex patterns
40+
providers

// what it does

Find, validate, document — in one toolchain.

A match alone usually isn’t enough for a clean disclosure. keyhound is built around checking whether a key still answers, what it can read, and turning that into something a security team can act on.

// STAGE 1

Multi-surface find

GitHub code search with 90+ dorks, JS bundle + sourcemap walker, local filesystem scan, nested directory crawl. Anchored regex prefilter skips the 90% of files that can't possibly match.

// STAGE 2

Live validation

Every finding is tested against the real provider API with a read-only probe — whoami, list-models, get-account. Verdict is LIVE, DEAD, or ROTATED per key. No "potential match" noise to triage.

// STAGE 3

Ready-to-run checks

Per-provider templates (curl, Python, etc.) so you’re not rewriting the same probe every time. Chained steps can pass outputs between commands when you need a fuller picture of scope.

// STAGE 4

Disclosure drafting

Drafts an RFC-9116-aligned disclosure with CVSS, CWE, evidence block, fingerprint, and the matched security.txt contact already filled in. Five tones so you can pick what fits the vendor: humanized, formal, bug bounty, CVE-style, internal triage.

// STAGE 5

Recon on the side

Wraps the ProjectDiscovery / Tomnomnom stack: subfinder, httpx, katana, dnsx, urlfinder, waybackurls, gau, nuclei. Resolves attack surface before you even hit the regex layer.

// STAGE 6

Continuous monitor

An hourly GitHub Actions job in this repo can diff your watchlist against the last run (fingerprinted) and email only when something new shows up. You own the workflow and secrets — it’s not a hosted service.

// what it finds

Forty-plus providers, live-validated.

Not every pattern has a live validator — the ones below do. If your favourite isn't here, add a custom pattern + regex in the web UI.

AI · LLM
Anthropic
AI · LLM
OpenAI
AI · LLM
Google Gemini
AI · LLM
Groq
AI · LLM
OpenRouter
AI · LLM
xAI
AI · LLM
Cerebras
AI · LLM
Perplexity
AI · LLM
HuggingFace
AI · LLM
Replicate
AI · LLM
Fireworks
CLOUD
AWS
CLOUD
GCP
CLOUD
DigitalOcean
CLOUD
Heroku
CLOUD
Firebase
SOURCE
GitHub PAT
SOURCE
GitHub App
SOURCE
GitLab
SOURCE
NPM
PAY
Stripe
PAY
Stripe Restricted
PAY
Shopify
COMMS
Slack
COMMS
Slack Webhook
COMMS
Discord Bot
COMMS
Telegram Bot
COMMS
Twilio
COMMS
SendGrid
COMMS
Mailgun
COMMS
Mailchimp
OPS
New Relic
OPS
Sentry
OPS
PagerDuty
OPS
Zendesk
OPS
Airtable
OPS
Notion
OPS
Linear
OPS
MongoDB Atlas
OPS
Postgres URI
OPS
JWT
OPS
PKCS + private keys

// why keyhound

Where it spends extra effort.

keyhound gitleaks trufflehog Typical hosted scanner
regex scan
live validation✓ 137 validatorspartialpartial
multi-step command chains✓ 14 templatesvaries
PoC templates✓ curl/py/js/pdf
disclosure draft✓ RFC-9116 + PGP
scheduled watchlist✓ GH Actions (self-hosted)CI integrationsCI integrationsHosted product
self-host✓ single binary
licensingopen source (self-host)open sourceopen source / commercialvendor pricing

// get started

Get the tool.

Source is on GitHub. Reach out if you need help wiring validation keys or the watchlist workflow — especially for orgs scanning their own assets.

OPTION 1

Build from source

Clone the repo and follow the README. Mail if you hit a blocker on your platform.

Email
OPTION 2

Watchlist help

Stuck wiring GitHub Actions, SMTP, or fingerprints? Email with what you’ve tried; I’ll point you at the right bits of the repo.
OPTION 3

DIY cheatsheet

Don't want any of this? The free cheatsheet gives you pre-commit, trufflehog, rotation recipes, and an incident checklist. No signup.

Verify who we are