LLM Secrets Leak Detector: A Security Guardian Against Sensitive Data Leaks to Large Language Models

LLM Secrets Leak Detector is a security tool specifically designed to detect and prevent accidental leaks of sensitive information during interactions with large language models. Addressing the issue where developers often accidentally leak confidential data such as API keys and database credentials when using AI assistants, it adopts a multi-layer detection strategy, supports multiple input sources and desensitization modes, and can be integrated into personal development workflows and enterprise-level systems, providing an effective solution for sensitive data protection in the AI era.

With the popularity of large language models like ChatGPT and Claude in development workflows, developers often accidentally leak sensitive information (such as API keys and database credentials) when seeking help from AI assistants. Studies show that the number of exposed credentials in public code repositories is growing exponentially, while traditional code security scanning tools cannot cover real-time AI interaction scenarios. LLM Secrets Leak Detector was created to address this new type of security risk, capable of intercepting and alerting before sensitive data leaves the development environment.

LLM Secrets Leak Detector adopts a three-layer complementary detection strategy:

1. Regular Expression Pattern Matching: Built-in with over 1750 rules covering more than 180 sensitive data types, using the Google RE2 library to ensure linear time complexity;
2. Entropy Analysis: Identifies highly random strings (length >20 and high entropy) by calculating Shannon entropy;
3. Context Heuristic Analysis: Combines keywords around sensitive information (such as password, secret) to reduce false positive rates and improve confidence.

The tool supports multiple input sources (local files, standard input, real-time streams) and provides three desensitization modes:

• Masking Mode: Replaces the middle part of sensitive information with ellipsis;
• Hashing Mode: Uses SHA-256 hashing for easy tracking;
• Synthetic Mode: Generates fake data with the same format. The command-line interface is concise and intuitive, supporting color output and risk grading (red/yellow/blue marks for high/medium/low risk), and can be seamlessly embedded into development workflows.

The tool's architecture focuses on performance and security:

• Uses the Aho-Corasick automaton algorithm to improve scanning speed;
• Sets a 1-second timeout for complex regex matching to prevent catastrophic backtracking;
• Limits input length to 100,000 characters to avoid memory exhaustion;
• Automatically deduplicates overlapping matches and retains the longest item;
• Comprehensive testing system: 18 BDD test scenarios, rule deduplication, and test data generation tools.

Applicable scenarios include:

• Individual Developers: IDE plugins or Git hooks for automatic scanning before submitting code or sending AI requests;
• Security Teams: Analyzing application logs and LLM interaction history;
• Enterprise Environments: Deployed as an API gateway/AI proxy filter, integrated into CI/CD pipelines (supports no-color output and standard exit codes);
• Compliance Teams: Enforcing data loss prevention (DLP) policies to prevent sensitive information from flowing to external AI services.

The project plans to expand into a complete AI gateway service, supporting real-time prompt filtering and AI data loss prevention functions; in the future, it will add integration methods such as IDE plugins and browser extensions. As LLMs penetrate the development field, this tool provides an effective solution to emerging security issues, helping developers enjoy AI efficiency while protecting core digital assets. It is a security tool worth paying attention to for development teams using LLMs.