The amber-scanner project is a web-based system designed to scan all public GitHub repositories for exposed AI API keys (e.g., OpenAI, Anthropic, Google AI, etc.) every two minutes. The system detects, validates, and displays findings on a live dashboard, including the GitHub repository URL, the exact file path, and the location where the exposed key is detected.
This system is intended strictly for educational purposes, aiming to raise awareness about the risks of exposed API keys and to demonstrate practical methods for detecting and mitigating such risks. It is not intended for malicious use or unauthorized access to sensitive data.
This document outlines the system's requirements, features, and design considerations to ensure clarity and alignment with the project's goals.
The amber-scanner system operates as an educational tool to demonstrate the importance of securing API keys in public repositories. It autonomously scans public GitHub repositories at regular intervals (every two minutes) and provides a live dashboard for users to view the results.
Key features include:
The system is designed for educational purposes and is not intended for commercial use or to infringe on the privacy of GitHub users.
Student/Developer
Educator/Trainer
#0A1F44 (Deep Navy Blue)#142850 (Dark Blue)#E8F1F2 (Soft White)#F9A826 (Vibrant Amber)#27496D (Muted Blue-Grey)This palette reflects a professional yet engaging aesthetic, with amber accents symbolizing the project's name and purpose.
Interactive "Code Matrix" Dashboard
The homepage/landing page will feature an animated "code matrix" background that mimics the look of scrolling code snippets. These snippets will dynamically update to show real-time scanning activity, such as repository names and detected API keys (obfuscated for privacy).
Key features of the design:
This design will create an immersive and visually striking experience, making the educational purpose of the system both engaging and memorable.

amber-scanner continuously monitors public GitHub repositories every two minutes, detecting and validating exposed AI API keys in real time. Built for education, designed for awareness.
Three powerful pillars working together to detect, validate, and educate about exposed API keys across the GitHub ecosystem.
Interactive visualization of the GitHub ecosystem. Hover over nodes to explore scanning activity and detection results in real time.
14,832
Repositories Scanned
2,461
Keys Detected
98.6%
Detection Rate
< 2 min
Last Scan Time
Auto-updates every 2 minutes · Last refreshed just now
Recently detected exposed API keys across public GitHub repositories. Updated every 2 minutes.
| Repository | File Path | Key Type | Detected | Status |
|---|---|---|---|---|
| acme-corp/ml-pipeline | src/config/api_keys.py | OpenAI | 12 sec ago | Active Exposure |
| devteam/chatbot-v2 | .env.production | Anthropic | 34 sec ago | Active Exposure |
| janedoe/research-assistant | config/settings.json | 1 min ago | Validating... | |
| startup-io/backend-api | deploy/docker-compose.yml | AWS | 2 min ago | Active Exposure |
| open-labs/data-toolkit | notebooks/train_model.ipynb | OpenAI | 3 min ago | Revoked |
| cloud9/payment-service | src/stripe_handler.js | Stripe | 4 min ago | Active Exposure |
| uni-project/nlp-demo | app/utils/constants.py | HuggingFace | 5 min ago | Validating... |
| techbro/saas-boilerplate | server/config.ts | Anthropic | 6 min ago | Active Exposure |
Showing 1–8 of 20 findings
Designed for learners and educators who want to understand API key security through real-world scanning and detection.
Individuals learning about secure coding practices and API key management. Explore real-world examples of exposed keys and understand how to protect your own projects.
Professionals teaching secure coding practices and cybersecurity awareness. Use amber-scanner as a live teaching tool to demonstrate real-world consequences of exposed API keys.
amber-scanner exists to educate developers and security professionals about the risks of exposed API keys. Our three-pillar approach transforms awareness into actionable knowledge.
Understand the real-world risks of exposed API keys in public repositories and why securing credentials is critical for every developer.
Experience live scanning of public GitHub repositories in real-time, observing how amber-scanner detects and validates exposed AI API keys.
Go beyond detection — learn actionable strategies to prevent API key exposure and secure your projects using industry best practices.
Strictly for educational purposes. amber-scanner is designed to raise awareness about API key security, not to facilitate unauthorized access. All detected keys are displayed responsibly, and the system is intended as a teaching tool for students, developers, and educators.
Connect your GitHub account and explore how AI API keys are inadvertently exposed across public repositories. Learn to identify, validate, and mitigate security risks through hands-on scanning.
Strictly for educational purposes. No private repositories are accessed.
Everything you need to know about amber-scanner, its purpose, and how to get started.
amber-scanner is an educational tool that scans public GitHub repositories every two minutes for exposed AI API keys from providers like OpenAI, Anthropic, and Google AI. It detects, validates, and displays findings on a live dashboard, including repository URLs, file paths, and key locations. The project exists to raise awareness about the risks of accidentally committing secrets to public repositories.
Absolutely not. amber-scanner is designed strictly for educational purposes — to help developers and educators understand the real-world consequences of exposed API keys. All detected keys are partially obfuscated on the dashboard, and the system does not attempt to use or exploit any discovered credentials. Our goal is awareness and prevention, not exploitation.
The system performs automated scans of public GitHub repositories every two minutes. Each scan cycle searches for patterns matching common AI API key formats, validates detected keys to confirm authenticity, and pushes results to the real-time dashboard. All timestamps are displayed in IST (Indian Standard Time) by default.
Navigate to the Settings page and enter your personal GitHub API token. This allows amber-scanner to perform customized scans with higher rate limits and access to your preferred repositories. Your key is encrypted and stored securely — it is never exposed or logged.
amber-scanner currently detects exposed keys from major AI service providers, including:
sk-... — OpenAI API keyssk-ant-... — Anthropic API keysAIza... — Google AI / Gemini keysEach detected key is validated against the respective provider’s endpoint to confirm whether it is active or expired.
No. amber-scanner only scans publicly accessible GitHub repositories. It operates entirely within the scope of GitHub’s public API and does not attempt to access, index, or scan private repositories, organizations, or gists. When you provide your own GitHub API key, it is used solely to increase rate limits for public repo scanning.
The primary users are:
If you discover that one of your API keys has been exposed, take these steps immediately:
amber-scanner is here to help you catch these mistakes early and learn from them.
No comments yet. Be the first!