As a user, I want to see a visually consistent UI so that all pages match the amber-scanner mock designs exactly. This task covers implementing the global color palette (#0A1F44 background, #142850 surface, #E8F1F2 text, #F9A826 amber accent, #27496D muted), typography, shared layout components, and removing any scaffold pages not needed by the project (e.g. generic welcome page). This task is independent and must be completed before any page-specific implementation begins.
As a user, I want the system to automatically scan public GitHub repositories every two minutes so that exposed AI API keys are continuously detected. Implement a FastAPI backend service that uses the GitHub API to search public repositories for exposed keys (OpenAI, Anthropic, Google AI, etc.), runs on a 2-minute interval scheduler, stores findings (repo URL, file path, key location, obfuscated key value, timestamp in IST) in MySQL via Alembic-managed schema, and exposes REST endpoints for the dashboard to consume.
As a user, I want to see an engaging landing page so that I can understand the amber-scanner system at a glance and navigate to the dashboard. Implement the Landing (v2) JSX design including the animated 'Code Matrix' scrolling background, interactive repository map, key detection amber pulse animation, dynamic stats panel, and micro-interactions with amber ripple hover effects. Entry point for both Student/Developer and Educator/Trainer personas.
As a user, I want to view a live dashboard so that I can monitor real-time exposed API key findings from public GitHub repositories. Implement the Dashboard (v2) JSX design including live findings feed, repository URL display, file path and key location details, stats panel (repos scanned, keys detected, common file types), and custom scan results view. Supports navigation from Landing and links to Settings. Used by both Student/Developer (View Live Findings, View Key Details, View Custom Scan) and Educator/Trainer (Monitor Findings, View Repo Details, View Stats Panel, Guide Scan Session) personas.
As a user, I want to configure my GitHub API key so that I can connect and customize the scanning process. Implement the Settings (v2) JSX design including the GitHub API key input field, secure save/update functionality, and connection status indicator. Navigated to from the Dashboard by both Student/Developer (Input GitHub Key) and Educator/Trainer (Configure API Key) personas, returning to the Dashboard after configuration.
As a user, I want detected API keys to be validated so that only authentic exposed keys are displayed on the dashboard. Implement a backend validation service in FastAPI/Python that checks each detected key against the respective AI provider's API (OpenAI, Anthropic, Google AI, etc.) to confirm authenticity, marks keys as valid/invalid in the database, and exposes validation status via the findings API.
As a user, I want to securely save my GitHub API key so that the system can use it for customized scanning without exposing it. Implement a FastAPI endpoint to accept, encrypt, and store user-provided GitHub API keys in MySQL, with retrieval for use in the scanner service. Supports the Settings page form submission.
As a user, I want to interact with an AI assistant so that I can get user-friendly explanations about detected findings, key risks, and secure coding practices. Implement a FastAPI AI assistant endpoint using GPT 5.4 via LiteLLM for LLM routing and Langchain for prompt orchestration. Supports the dashboard/ai-assistant page.
As a user, I want the dashboard to receive real-time findings so that I can see newly detected exposed keys without refreshing the page. Implement a FastAPI WebSocket or SSE endpoint that streams live scan findings to the frontend dashboard, including repo URL, file path, key location, validation status, and IST timestamp. Supports the Dashboard page's real-time feed.
As a user, I want the Settings page to save and load my GitHub API key from the backend so that my configuration persists across sessions. Wire the Settings (v2) frontend to the GitHub Key Settings API for save, update, and connection status display.
As a user, I want to access an AI assistant interface so that I can ask questions about exposed key findings and learn about secure coding practices. Implement the dashboard/ai-assistant page frontend with a chat-style UI using the amber-scanner theme, wired to the AI Assistant API backend. Supports educational interactions for both Student/Developer and Educator/Trainer personas.
As a user, I want the Dashboard page to display live data from the backend so that I see real findings from the GitHub scanner. Wire the Dashboard (v2) frontend to the live findings WebSocket/SSE API, stats REST endpoint, and repo details endpoint. Handle loading, error, and empty states. Enable real-time amber pulse animation on new key detection.

amber-scanner continuously monitors public GitHub repositories every two minutes, detecting and validating exposed AI API keys in real time. Built for education, designed for awareness.
Three powerful pillars working together to detect, validate, and educate about exposed API keys across the GitHub ecosystem.
Interactive visualization of the GitHub ecosystem. Hover over nodes to explore scanning activity and detection results in real time.
14,832
Repositories Scanned
2,461
Keys Detected
98.6%
Detection Rate
< 2 min
Last Scan Time
Auto-updates every 2 minutes · Last refreshed just now
Recently detected exposed API keys across public GitHub repositories. Updated every 2 minutes.
| Repository | File Path | Key Type | Detected | Status |
|---|---|---|---|---|
| acme-corp/ml-pipeline | src/config/api_keys.py | OpenAI | 12 sec ago | Active Exposure |
| devteam/chatbot-v2 | .env.production | Anthropic | 34 sec ago | Active Exposure |
| janedoe/research-assistant | config/settings.json | 1 min ago | Validating... | |
| startup-io/backend-api | deploy/docker-compose.yml | AWS | 2 min ago | Active Exposure |
| open-labs/data-toolkit | notebooks/train_model.ipynb | OpenAI | 3 min ago | Revoked |
| cloud9/payment-service | src/stripe_handler.js | Stripe | 4 min ago | Active Exposure |
| uni-project/nlp-demo | app/utils/constants.py | HuggingFace | 5 min ago | Validating... |
| techbro/saas-boilerplate | server/config.ts | Anthropic | 6 min ago | Active Exposure |
Showing 1–8 of 20 findings
Designed for learners and educators who want to understand API key security through real-world scanning and detection.
Individuals learning about secure coding practices and API key management. Explore real-world examples of exposed keys and understand how to protect your own projects.
Professionals teaching secure coding practices and cybersecurity awareness. Use amber-scanner as a live teaching tool to demonstrate real-world consequences of exposed API keys.
amber-scanner exists to educate developers and security professionals about the risks of exposed API keys. Our three-pillar approach transforms awareness into actionable knowledge.
Understand the real-world risks of exposed API keys in public repositories and why securing credentials is critical for every developer.
Experience live scanning of public GitHub repositories in real-time, observing how amber-scanner detects and validates exposed AI API keys.
Go beyond detection — learn actionable strategies to prevent API key exposure and secure your projects using industry best practices.
Strictly for educational purposes. amber-scanner is designed to raise awareness about API key security, not to facilitate unauthorized access. All detected keys are displayed responsibly, and the system is intended as a teaching tool for students, developers, and educators.
Connect your GitHub account and explore how AI API keys are inadvertently exposed across public repositories. Learn to identify, validate, and mitigate security risks through hands-on scanning.
Strictly for educational purposes. No private repositories are accessed.
Everything you need to know about amber-scanner, its purpose, and how to get started.
amber-scanner is an educational tool that scans public GitHub repositories every two minutes for exposed AI API keys from providers like OpenAI, Anthropic, and Google AI. It detects, validates, and displays findings on a live dashboard, including repository URLs, file paths, and key locations. The project exists to raise awareness about the risks of accidentally committing secrets to public repositories.
Absolutely not. amber-scanner is designed strictly for educational purposes — to help developers and educators understand the real-world consequences of exposed API keys. All detected keys are partially obfuscated on the dashboard, and the system does not attempt to use or exploit any discovered credentials. Our goal is awareness and prevention, not exploitation.
The system performs automated scans of public GitHub repositories every two minutes. Each scan cycle searches for patterns matching common AI API key formats, validates detected keys to confirm authenticity, and pushes results to the real-time dashboard. All timestamps are displayed in IST (Indian Standard Time) by default.
Navigate to the Settings page and enter your personal GitHub API token. This allows amber-scanner to perform customized scans with higher rate limits and access to your preferred repositories. Your key is encrypted and stored securely — it is never exposed or logged.
amber-scanner currently detects exposed keys from major AI service providers, including:
sk-... — OpenAI API keyssk-ant-... — Anthropic API keysAIza... — Google AI / Gemini keysEach detected key is validated against the respective provider’s endpoint to confirm whether it is active or expired.
No. amber-scanner only scans publicly accessible GitHub repositories. It operates entirely within the scope of GitHub’s public API and does not attempt to access, index, or scan private repositories, organizations, or gists. When you provide your own GitHub API key, it is used solely to increase rate limits for public repo scanning.
The primary users are:
If you discover that one of your API keys has been exposed, take these steps immediately:
amber-scanner is here to help you catch these mistakes early and learn from them.
No comments yet. Be the first!