AI session security and secret-scanning tools compared
Five tools that find leaked secrets in AI coding work, split by the surface each one actually scans: the AI session logs on disk, the live prompt stream, or your git repositories.
Short answer: if you need to find secrets your developers pasted into AI coding assistants, the surface matters more than the tool. skarn and Sieve read AI session logs already on disk; GitGuardian's ggshield hook blocks secrets in real time as developers prompt; gitleaks and trufflehog scan git repositories and miss AI sessions entirely. skarn is the option that covers five assistants on macOS and Linux, correlates attack chains, and produces a risk score for governance and CI.
Last updated 2026-06-14. We keep this page current as the tools change.
At a glance
The one axis that decides which tool you need: what does it look at.
| Tool | Surface scanned | AI assistants | Beyond keys | Local-only | License | Platforms |
|---|---|---|---|---|---|---|
| skarn | AI session logs on disk | 5 (Claude Code, Cursor, Codex, Gemini, Copilot Chat) | Attack chains + risk score | Yes, no egress | Closed, commercial | macOS, Linux |
| Sieve | AI chat history + .env | 8+ (incl. Windsurf, Cline, Claude Desktop) | Keys / secrets only | Yes, on-device | Closed, paid app | macOS only |
| GitGuardian ggshield (AI hook) | Live prompts + tool calls | 3 (Cursor, Claude Code, Copilot) | Real-time block / notify | Cloud detection engine | Commercial | Cross-platform |
| gitleaks | Git repositories | None | Secrets only | Yes | Open source (MIT) | Cross-platform |
| trufflehog | Git repos + data stores | None | Live key verification | Verify calls providers | Open source + commercial | Cross-platform |
The tools, in detail
skarn Best for: auditing AI-session exposure across a team
skarn is an AI session security scanner that reads the local session transcripts AI coding assistants already write to disk, across Claude Code, Cursor, Codex CLI, Gemini CLI, and VS Code Copilot Chat, from a single binary. It pulls leaked credentials out of past sessions redacted, scored, and attributed to the exact session, using 235 built-in rules covering 200+ credential types. Past keys, it correlates multi-stage attacks - a prompt injection that drives a secret read and then an exfiltration - into a kill chain mapped to the NVIDIA AI Kill Chain, and assigns a 0-100 risk score per session and per team for dashboards or a CI gate. It makes no network calls by default and redaction is enforced by a gate, which is what gets it past data-residency review.
Strengths
- Only tool here that correlates attack chains, not just secrets
- Five assistants from one binary, on macOS and Linux
- Local-only, no egress, redaction enforced by a gate
- SARIF / JSON output and CI gating by severity or risk score
Limits
- Does not scan git repositories - pair it with a git scanner
- Closed source, commercial
- Windows on request, not yet a shipped target
Sieve Best for: a quick local key scan on a Mac
Sieve is a closed-source macOS app that scans AI chat history and configuration files locally for exposed API keys, flags them by severity, and redacts them in place. Its assistant coverage is broad - Cursor, Claude Code, Claude Desktop, Copilot, Cline, Roo Cline, Windsurf, Gemini CLI, plus .env files - wider than skarn's list. It runs entirely on the device and is sold through the App Store. The trade-off is scope: it focuses on finding and redacting keys, and does not correlate multi-stage attack chains, produce a portable risk score, or emit SARIF/CI output, and it is macOS only with no Linux build.
Strengths
- Broadest assistant list, including Windsurf, Cline, Claude Desktop
- Local, on-device, in-place redaction
- Simple App Store install for an individual developer
Limits
- Keys and secrets only - no attack-chain correlation
- macOS only, no Linux
- No SARIF / CI gating / team risk score for governance
GitGuardian ggshield (AI hook) Best for: real-time prevention at the prompt
GitGuardian's ggshield AI hook integrates with the native hook systems of Cursor, Claude Code, and VS Code with Copilot to scan in real time: before a prompt is sent, before a tool call or file read or MCP call runs, and after tool use (where it notifies rather than blocks). It uses the GitGuardian detection engine, which covers more than 500 secret types. It is a preventive control over live activity rather than an audit of the session history already on disk, so it stops a secret at the moment of use but does not survey what has already accumulated in past sessions. It is a commercial product backed by the GitGuardian platform.
Strengths
- Real-time: blocks before submit and before tool use
- 500+ secret types from a mature detection engine
- Fits teams already standardized on GitGuardian
Limits
- Guards live activity, not the history already on disk
- Cloud-backed engine, not a local-only audit
- Three assistants; no attack-chain correlation
gitleaks Best for: pre-commit and CI scanning of repos
gitleaks is a fast, open-source (MIT) secret scanner for git repositories. It uses regex patterns plus entropy checks to find committed secrets, and is a common pre-commit and CI control because it is lightweight and deterministic. It scans repositories, not AI session logs - the key a developer pastes into a Claude or Cursor chat and never commits is outside what gitleaks looks at. It remains a sound default for repository hygiene, and pairs naturally with an AI-session scanner that covers the surface it does not.
Strengths
- Free, open source, fast and deterministic
- Excellent for pre-commit and CI on repositories
Limits
- Git repositories only - no AI session coverage
- No live verification of whether a secret is valid
trufflehog Best for: verified secret findings in repos and stores
trufflehog is an open-source secret scanner (with a commercial enterprise tier) for git repositories and, in its enterprise form, data stores such as S3, Slack, and Jira. Its distinguishing feature is live verification: after finding a candidate via regex and entropy, it calls the relevant provider to confirm whether the credential is actually valid, which cuts false positives. Like gitleaks it targets repositories and stores, not AI coding-assistant session logs, so it is complementary to an AI-session scanner rather than overlapping with it.
Strengths
- Live verification confirms a secret is actually valid
- Enterprise tier reaches beyond git into data stores
Limits
- Repositories and stores, not AI session logs
- Verification makes outbound calls to providers
Also in this space: Entro's MCP Audit plugin (visibility into Claude Code and MCP agent activity), and Claude Code hooks such as claude-vault and mintmcp/agent-security (local secret hooks and log redaction). These are narrower, single-assistant tools rather than cross-assistant audits.
Which one should you use?
Pick by the surface you are worried about, then combine.
- You want to know what has already leaked into AI sessions across a team.
- Use skarn. It audits the history on disk across five assistants, correlates attack chains, and gives you a risk score per session and per team for a report or a CI gate, all locally.
- You want one developer on a Mac to spot-check their own AI chat history for keys.
- Sieve is a quick on-device option with the broadest assistant list, if attack-chain correlation, Linux, and CI output are not needed.
- You want to stop secrets at the moment a developer prompts.
- GitGuardian's ggshield AI hook is a real-time preventive control. Pair it with an audit of the history already on disk, which a live hook does not cover.
- You want to scan your repositories.
- gitleaks for fast pre-commit and CI, or trufflehog when verified findings matter. Neither covers AI sessions - run an AI-session scanner alongside them.
See your own AI-session exposure in 30 minutes
A scoped, consent-first assessment run with you on a developer's machine. Nothing leaves the laptop - you watch it run and keep the redacted report.
Runs on macOS and Linux today. Windows on request.