Watch everything.
Your developers paste secrets into AI assistants every day, and nobody can see it.
skarn reads the session logs your AI coding assistants already write, and surfaces the leaked credentials and the attacks that exploit them. It runs entirely on the machine - no account, no upload, no network call by default.
Nothing leaves the machine. Built for regulated, audit-heavy, EU data-residency environments.
The surface nobody is watching.
Every AI coding assistant - Claude Code, Cursor, Gemini, Codex, GitHub Copilot - writes the whole conversation to disk: every prompt, every file it read, every command it ran, in plaintext. Developers paste keys, passwords, and .env files into those sessions all day long. Secret scanners look at your git repositories. None of them look at the session logs.
Live credentials, in the open
A pasted key now sits in plaintext in a log file, in shell history, and in the provider's retention - valid, unrotated, and outside every control you have.
Silent and undetected
A leak to git gets caught and rotated. A leak into an AI session gets caught by nothing, and stays valid indefinitely while no one knows.
A new class of attack
Poisoned content can steer an assistant into reading a secret and shipping it out. "We don't train on your data" does nothing to stop it.
What your engineers leaked, made visible.
Point skarn at a developer's machine and it reads the AI session logs already on disk - across every assistant - and shows you the live credentials and the attacks around them. Redacted, scored, and attributed to the exact session. In minutes, on the machine, nothing uploaded.
Every credential, redacted
Two hundred-plus secret types pulled straight out of past AI sessions - AWS keys, database URIs, tokens - each shown masked, never in full.
The attack, not just the key
The prompt-injection-to-exfiltration kill chain an ordinary secret scanner can't see: poisoned content driving a read, then a leak.
A risk score you can act on
One number per session and per team for a dashboard or a CI gate - so exposure is something you measure and drive down, not guess at.
Why skarn is different.
Reads AI sessions, not git
A surface no other scanner covers. The key pasted into a chat and never committed is invisible to gitleaks and obvious to skarn.
Shows the attack, not just the secret
Credential read, prompt injection, and exfiltration, linked into a kill chain mapped to a published AI threat model.
Local-only, no egress
No account, no upload, no network call by default. The session logs never leave the machine - the sentence that gets it past EU legal.
One binary, every assistant
Claude Code, Cursor, Gemini, Codex, Copilot Chat - one vendor-neutral control across every tool your team uses. It scans in milliseconds.
Real-time guard
Wired as a hook, it refuses a malicious tool call - a hardcoded credential, a typosquatted package - before it ever runs.
It surfaces, it doesn't prescribe
It tells you what leaked and where, redacted. Your team owns the response. Awareness and understanding, not a fix-it bot.
"Isn't this just gitleaks?"
No. gitleaks and trufflehog scan your git repositories. skarn scans the AI session logs your scanners never look at - the key an engineer pasted into a chat and never committed is invisible to them and obvious to skarn. Different surface, different attacks. The leak that gets you is the one nothing was watching.
See your own exposure in 30 minutes.
A scoped, consent-first assessment, run with you on a developer's machine. Nothing leaves the laptop - you watch it run and keep the redacted report. Start with a one-time audit; turn on continuous monitoring and team reports once you see what is there. It is the fastest way to find out what your engineers have already leaked into AI tools.
Built by an experienced security and engineering team. Runs on macOS and Linux today; Windows on request.