Free where it counts, paid where it decays
Credential detection is free and stays free. The paid value is keeping skarn current, not the credential regexes - those barely change. What decays fast is the session-format parsers and the AI-attack behavioral patterns. Those are the maintenance you subscribe to, layered on top of a free baseline that is never paywalled.
Last updated 2026-06-18.
Why the line is here
The split follows what ages and what does not.
Provider key formats - AWS AKIA, GitHub ghp_, Stripe, and
the rest - have been stable for years, so a frozen credential ruleset still catches most real
leaks. Paywalling that would charge you for the part that barely moves. What does move, fast, is
two things. The session-format parsers: a coding assistant can change its on-disk format in a
point release, and an unmaintained parser silently goes blind to everything written after that.
And the AI-attack behavioral patterns: the prompt-injection and exfiltration techniques that are
still being discovered. Those are the maintenance worth paying for, and they are what the
subscription keeps current.
The three editions
One binary. The free edition is the whole local scanner; the paid editions keep it current and roll it up across a fleet.
Free Local scanner and recall
The local scan for leaked credentials and attack patterns (skarn check), all
session recall (search, recent, stats, tools,
mcps, cmds, usage), the bundled credential and
attack-pattern rules, and the localhost web UI (skarn serve). A single machine,
scans locally, no network by default, free forever. Baseline credential detection is never
paywalled.
Team The maintained subscription
The signed, versioned maintained feed of detection-rule and AI-attack-pattern updates
(--update-rules), verified locally against an embedded key and layered over the
free baseline; the always-current binary with fresh session-format parsers over a credentialed
channel; and the CI gating flags (--fail-on-severity, --fail-on-risk,
--baseline, SARIF export). It also unlocks the opt-in deeper detections that still
run locally: supply-chain package checks (--check-packages, typosquat and
suspicious-URL installs) and AI-written insecure-code flagging (--check-code). A
lapsed subscription stops new updates; it never disables a copy you already have. No timebomb.
Enterprise Fleet console and governance
A self-hosted fleet console that rolls up redacted findings and metadata across many machines -
never raw secrets - with SSO, RBAC, and audit, plus the opt-in online enrichment checks
(--osv, --min-package-age, --verify) for teams that want
package-age and vulnerability signals, plus the enterprise output profile
(--profile enterprise, high-confidence and deduped).
Questions, answered
- Is credential detection free?
- Yes, and it stays free. The local scan, all recall, the bundled rules, and the localhost web UI are free forever on a single machine. Provider key formats barely change, so the baseline still catches most real leaks - paywalling it would charge you for the part that does not move.
- What does the subscription actually buy?
- Keeping skarn current. The session-format parsers and the AI-attack behavioral patterns are the fast-decaying assets; the Team edition is the maintained feed of those updates plus an always-current binary with fresh parsers.
- Does a lapsed subscription disable skarn?
- No. It stops new updates and nothing else. The binary and rules you already installed keep working - there is no timebomb.
- How does the maintained feed reach my machine?
- As a signed, versioned feed verified locally against a key embedded in the binary, then layered over the free baseline rules. The verification happens on your machine.
Start free, subscribe to stay current
Run the free local scanner today. When you want the maintained feed, fresh parsers, and CI gating for a team, or a self-hosted console across a fleet, ask for access.
Runs on macOS, Windows, and Linux, on both Intel and ARM.