Back to Home

VaultGuard Documentation

Learn how to use VaultGuard to scan for secrets and store them securely.

Installation

Install VaultGuard CLI globally using npm:

npm install -g vaultguard-cli

Or use it directly with npx:

npx vaultguard-cli scan myfile.js

What is VaultGuard?

VaultGuard is a minimal developer tool designed to help you:

  • Scan your code for accidentally committed secrets like API keys, tokens, and passwords
  • Store secrets locally in memory without relying on cloud services
  • Protect .env files by encoding and creating decoy files
  • Provide simple interfaces via CLI and REST API for easy integration

CLI Commands

Basic Commands
Core functionality for scanning and managing secrets

vaultguard scan <file>

Scan a file for potential secrets.

vaultguard scan myfile.js

vaultguard vault add <key>=<value>

Store a key-value pair in the local vault.

vaultguard vault add API_KEY=sk_123456789

vaultguard vault show

Display all stored secrets (masked).

vaultguard vault show

vaultguard vault export

Export stored secrets as a .env file.

vaultguard vault export
Protection Commands
Advanced security features for protecting your environment files

vaultguard protect

Protects your .env file by creating multiple encoded .vg files with fake data and removes the original .env file.

vaultguard protect

Creates files like: env1.vg, env2.vg, env3.vg with encoded real data mixed with decoy data.

vaultguard decode [--file <filename>]

Decodes your .vg files back to .env format. Optionally specify a specific file.

vaultguard decode # Decodes all .vg files
vaultguard decode --file env2.vg # Decode specific file

vaultguard safeadd <key>=<value> [--protect]

Creates a secure folder structure (vaultguard/vault/key/env) and stores the .env file there.

vaultguard safeadd API_KEY=sk_123
vaultguard safeadd --protect API_KEY=sk_123 # Also creates .vg files

With --protect flag: combines safeadd with protect functionality.

Configuration Commands
Customize VaultGuard behavior and patterns

vaultguard addpattern <pattern>

Add a custom regex pattern for secret detection.

vaultguard addpattern "custom_[a-zA-Z0-9]20"
vaultguard addpattern "myapi_[0-9A-F]16"

vaultguard version

Show the CLI version.

vaultguard version

vaultguard help

Show CLI usage information.

vaultguard help

API Endpoints

POST /api/scan
Scan code for potential secrets and sensitive information.

Request Body:

{
"code": "string"
}

Response:

{
"found": boolean,
"secrets": string[]
}
POST /api/store
Store a key-value pair in the local vault.

Request Body:

{
"key": "string",
"value": "string"
}

Response:

{
"stored": true
}
GET /api/vault
Retrieve all stored secrets from the vault.

Response:

{
"vault": Record<string, string>
}

Detected Secret Patterns

VaultGuard scans for these common secret patterns:

  • sk_ - Stripe API keys
  • ghp_ - GitHub personal access tokens
  • AKIA - AWS access keys
  • AIza - Google API keys
  • xoxb- - Slack bot tokens
  • pk_ - Stripe publishable keys
  • Custom patterns - Added via addpattern command