File scanner

Sensitive file scanner

It happens quickly and a file with sensitive content is accidentally made public. This service will help you catch the mishap early before the sensitive data is exploited. The sensitive file scanner scans your domain and subdomains automatically for data leaks (passwords, api keys, private keys, etc.) via unintentionally exposed files like .env files or Git repositories.



  • Daily scans for exposed sensitive files
  • Automatic subdomain detection
  • Immediate notification on detection of an issue
  • More than 35 detection rules, being expanded constantly
  • No complex and complicated setup, just start in a few minutes


5.00$ per month


Easy-to-use dashboard that lets you see the status of scans and determine if there is an issue. You will be notified by email as soon as the scanner discovers a problem with on of your domain or subdomains.


You see the result of all of your subdomains and which of them have an issue you should look at.

Detail view

In the details we describe what problem the scanner found, so you can fix the issue and secure your application.

Ease of mind

This scanner helps developers to prevent leaks of sensitive information. It happens quickly that an .env file becomes public without anyone noticing. The scanner will notify you if something is found, so you can fix the issue.

This scanner looks for common files like .env files, exposed Git repositories, files containing phpinfo() data, directory listings or database backups. The rules to discover these files are constantly curated and updated by our team.


Blog post: Data leak via exposed .env files

We scanned over 2.6 million domains for exposed .env files. During this scan we found 201 .env files. Besides harmless configuration settings we found 135 database users and passwords, 48 e-mail user accounts with passwords, 11 live credentials for payment providers (like Stripe or Paypal), 98 secret tokens for different APIs and 128 app secrets (secrets to securely generate session ids, CSRF-tokens and JWT-tokens) and a few hard coded admin credentials. Exposed .env files are a huge security risk, because the content of these files is not encrypted.

Read the entire blog post

About codepurple

Codepurple is a cyber security company from Switzerland. We conduct pentests of webapplications. During our research we scanned over 2 million domains and discovered, that the exposure of sensitive files is a huge problem. We discovered many database credentials, Office 365 admin accounts, database backup files and even several payment API keys. We refined our internal research tool and created this easy to use and cheap scanner to protect from this kind of information leaks.