I built a pre-push git hook that catches leaked secrets before they hit GitHub

$ git push origin main # A few seconds later, email from AWS # Next morning: $8,000 Leaked API keys are a solved problem — in theory. In practice, they keep happening. GitHub says exposed credentials are scraped by bots within seconds of being pushed. The usual advice is "use a secrets manager" or "scan your repo with a tool." But the best time to catch a leaked secret is before it ever leaves your machine. That's why I built push-sentinel — a zero-dependency CLI that sits in your pre-push hook and scans the exact diff being pushed. Install in one command npx --yes --prefer-online push-sentinel@latest install That's it. From now on, every git push runs the scan automatically. What it looks like Clean push: [push-sentinel] ✓ No secrets detected. When something is found: [push-sentinel] ⚠ Potential secrets found: [HIGH] src/config.ts:12 AKIAIO... → Risk: Full access to AWS resources. Attacker can create/delete instances, incur charges, or exfiltrate data. → To ignore this line: push-sent