Skip to content

CredWatch documentation

CredWatch is a credential-exposure monitoring platform. It continuously scans public GitHub, your client web endpoints, JavaScript bundles, and — with your authorization — your private GitHub repositories for exposed secrets (API keys, tokens, connection strings) and alerts your security team before attackers can act on them.

These docs cover everything you need to get up and running, configure integrations, and use the API.

🚀 Getting started

Sign up, connect GitHub, add a domain, and see your first scan in under 10 minutes.

📋 Feature guides

Triage findings, manage suppression rules, invite teammates, and configure alerts.

🔌 REST API

Query findings, scans, and trigger actions from your own tooling. Growth+

💬 Support

Reporting a bug, checking service status, or disclosing a security issue.

What CredWatch detects

Source What we scan Plan
Public GitHub Code search across all of GitHub for keys matching your custom patterns Free+
Private repositories Your own repos via a token you provide (PyGithub, classic PAT or fine-grained) Free+
Commit history The full git history of every monitored repo — catches keys committed then deleted Growth+
Web endpoints Subdomains discovered from cert transparency logs, HTML, and bundled JS Growth+
JavaScript bundles Webpack/Vite/Rollup bundles that leak server-side keys into client code Growth+

We ship with validators for 18+ secret types (OpenAI, Anthropic, AWS, Stripe, GitHub, Slack, SendGrid, Twilio, Datadog, Cloudflare, and more). Each validator independently confirms whether a found key is still live before we wake anyone up.

Two ways to use CredWatch

  1. As a product — log into the portal at app.cred-watch.com, connect your sources, and let CredWatch alert you to exposures.
  2. In your CI — the credwatch scan diff command scans pull request diffs before they merge. See the CI/CD guide.

Need a quick answer?

Looking for something not here? Email [email protected].