Find your secrets before someone else does.

Credentials, API keys, and configuration files leak in three predictable places: a developer commits a .env file to a public repo; a misconfigured webserver exposes /.git/ or /backup.sql; or a third-party tool dumps your config somewhere indexable. Nano EASM checks all three.

What we detect

• Secrets in public code — API keys, tokens, and credentials matching 23 high-confidence patterns (AWS, GitHub PAT, Stripe, OpenAI, Anthropic, JWT, private keys, more).
• Exposed sensitive paths on your assets — /.git/, /.env, /backup.sql, /phpinfo.php, /admin/, .DS_Store directory listings, and ~30 more.
• Source-code references to your domain in public repositories on GitHub and GitLab, even when they don't contain secrets — useful for tracking shadow integrations.
• Configuration files exposed via misconfigured webservers — .htaccess, web.config, application.yml, etc.
• SSH keys, SSL private keys, and database dumps exposed at predictable URLs.

Why it matters

A leaked AWS key is a same-day incident. A leaked .env can include database creds, third-party API keys, mail credentials, and JWT signing secrets — every secret a developer was holding when the leak happened. Public repos are continuously scraped by automated tooling looking for exactly this. If the credential is valid for 30 minutes, that's enough time for an attacker to enumerate everything it can reach.

How Nano EASM detects it

Two parallel paths. First, the leak engine probes your discovered assets directly for ~30 sensitive paths (.git/, .env, backups, etc.) — fast, no third-party dependency. Second, when a paid plan is enabled, it queries public GitHub Code Search and GitLab blob search for code referencing your domain, then runs every matched snippet through a 23-pattern secret detector. Pattern matches are upgraded to high-confidence findings. The detector recognises real secret formats (AWS access key shape, GitHub PAT prefix, Stripe key format) — not just keyword matches.

Common scenarios