After watching the same mistake happen in every group project, we built a tool that just handles it for you.
Read →Vibe coding is fast. It's also quietly creating a credential leak epidemic.
Read →Environment variables, secret managers, git hooks. What they are, why they matter.
Read →Every group project. Every time. Someone commits an API key. It's in the history. The key has to be revoked. It takes an hour. Everyone is annoyed. We've been there more times than we'd like to admit.
Code Scrubber is a VSCode extension that just handles it. It runs in the background, spots credentials the moment you type them, and offers a one-click fix. Move to .env, done. No context switching, no manual editing, no forgetting.
Because that's where the mistake happens. Not in a separate security tool, not in your CI pipeline — in the editor, while you're copying an API key from a browser tab and pasting it directly into your code. Catching it there, at that moment, is the only way it actually helps new developers build the habit.
The core scanner and refactor tool are working. We're adding Python refactor templates, encrypted .env sharing, and a compromised credentials checker. If something's broken, open an issue on GitHub. We'll fix it.
Vibe coding is fast. You describe what you want, the model generates the code, you paste it in, it works. What it doesn't do is remind you that the API key you included in your prompt just ended up hard-coded in the output.
This is a structural problem. LLMs generate plausible code. If your prompt contains a key — because you were showing context, because you copied from an existing file — it will appear in the output. The model isn't making a mistake. It's doing exactly what you asked.
LLMs built into editors sometimes catch obvious patterns. But the check is often shallow, optional, and happens after the code is already written. A static extension running on every save catches it regardless of how the code was generated — by hand, by Copilot, by Cursor, by paste.
Entropy-based detection catches the cases regex misses: unknown token formats, internal service credentials, anything that looks random but doesn't match a known pattern.
If you just got an API key and you're about to paste it into your code — stop. Here's what to do instead, and why it matters.
Create a file called .env at the root of your project. Put your key there. Then add .env to your .gitignore.
The whole point of a .env file is that it stays on your machine. It doesn't go to GitHub. Each person has their own copy with their own keys.
Revoke the key immediately — treat it as compromised. Then remove it from history using git filter-repo. Deleting the file isn't enough; the key is still in older commits. Code Scrubber's git history scanner will find these for you.