FyVault
Pre-Commit Defense

One accidental commit. $41,000.

A leaked API key costs $41,000 on average. Yours is one git push away. FyVault pre-commit hooks scan every staged file and block the commit before secrets ever leave your machine.

This happens every day

It's Friday afternoon. You're rushing to ship a fix. You commit. You push. Monday morning, your AWS bill is $23,000 because someone's been mining crypto on your account since Saturday.

GitHub scans for leaked secrets, but only after you push. By then, bots have already scraped it. Within 30 seconds of a public commit containing an AWS key, automated scanners find it and exploit it. You need a gate before the push, not a notification after.

Your last line of defense between git commit and a $41,000 bill

You

git commit -m "quick fix"

FyVault Gate

20+ patterns scanned

Blocked

Credential detected

Safe

No secrets found

Caught in Real Time

Catch it before git push. Not after.

Bots find leaked keys in 30 seconds. Your pre-commit hook finds them first. When a high-confidence secret is detected, the commit never happens.

Terminal
$ git commit -m "quick fix, pushing before weekend"
 
FyVault scanning staged files...
 
✗ config/database.yml
Line 12: AWS Access Key (HIGH confidence)
AKIA3EXAMPLE7KEYHERE
 
✗ src/services/payment.ts
Line 45: Stripe Secret Key (HIGH confidence)
sk_live_4eC39HqLyjWDarjtT1zdp7dc
 
2 secrets detected — commit blocked.
$41,000 average breach cost avoided.
 
Run `fyvault scan --staged --dismiss` to review findings.
Detection Patterns

20+ secret patterns scanned. Every single commit.

Regex patterns and high-entropy analysis for every major cloud provider, payment processor, and SaaS platform. No configuration needed. No secrets slip through.

AWS Access Keys
Stripe Keys
GitHub Tokens
Google Cloud Keys
Database URLs
Private Keys
JWT Secrets
Slack Tokens
Twilio Keys
SendGrid Keys
Mailgun Keys
Generic High-Entropy
60-Second Setup

The gate between your code and disaster

Pick the method that fits your workflow. One install, every commit scanned, every credential caught before it reaches a remote.

FyVault CLI

One command. Done.

$ fyvault hook install

  Installing git pre-commit hook...
  Hook written to .git/hooks/pre-commit
  Done. Secrets will be scanned on every commit.

pre-commit framework

.pre-commit-config.yaml

repos:
  - repo: https://github.com/fyvault/fyvault-hooks
    rev: v0.8.0
    hooks:
      - id: fyvault-scan
        name: FyVault Secret Scanner
        entry: fyvault scan --staged
        language: system
        stages: [commit]

Husky

package.json

{
  "husky": {
    "hooks": {
      "pre-commit": "fyvault scan --staged"
    }
  }
}
Confidence Levels

HIGH confidence = hard block. No exceptions.

Not every match is a real secret. FyVault assigns confidence levels so confirmed credentials are blocked outright, while ambiguous matches warn without stopping your flow.

HIGH Confidence

Commit blocked instantly

Known secret format matched with high certainty. The commit is rejected and cannot proceed until the credential is removed or explicitly dismissed. You physically cannot ship it.

AWS KeysStripe Live KeysPrivate Keys
MEDIUM Confidence

Warning surfaced

High-entropy string or partial pattern match. A visible warning appears so you can double-check, but the commit goes through. No false-positive fatigue.

Database URLsGeneric EntropyEnv Variables

The commit gate in action

Every commit passes through the FyVault scanner. Clean code ships. Secrets get blocked.

git add
git commit
FyVault Scan ⚡
Clean
Blocked
Python SDK

Scan from Python too

Run secret scanning programmatically from CI pipelines or custom tooling.

scan.py
result = fv.hooks.scan(staged=True)

if result.secrets_found:
    for finding in result.findings:
        print(finding.file, finding.type)

# Integrate into CI or custom pre-commit logic

Bots find leaked keys in 30 seconds.
Your pre-commit hook finds them first.

Install in 60 seconds. Scan every commit. Stop the $41,000 mistake before it happens.