I built this after a security audit caught a live AWS key in a 3-year-old commit that had been "deleted" in a later commit. The key was still accessible via git log.

secret-time-machine scans your entire git history and flags anything that looks like a secret: API keys, tokens, passwords, connection strings.

- Scans ALL commits including rebased/amended ones - 40+ secret format patterns (AWS, GCP, Stripe, GitHub, JWT, etc.) - Works fully offline — no data leaves your machine

pip install secret-time-machine && stm scan ./your-repo

GitHub: https://github.com/LakshmiSravyaVedantham/secret-time-machin... Full writeup: https://dev.to/lakshmisravyavedantham/i-found-an-api-key-i-d...

undefined