Vaultify scans your machine for potential leaked non-human identities like API keys, tokens, and credentials scattered across config files, IDE settings, and AI tool outputs. It helps you decide what to do with each one — Vaultify it (store in your vault), remove it, or dismiss it — and then does it automatically.
Official website - https://vaultify.live
Vaultify isn't collecting keys/tokens or stores them in any shape or form. However, it doesn't understand if your project needs run-time keys - please be mindful when vaulting NHIs.
vaultify_scan_demo.mov
Open demo video — the inline player scales with the clip’s resolution; export around 1280px wide for a larger embed.
Install once, then run vaultify from any directory:
macOS / Linux
curl -fsSL https://raw.githubusercontent.com/securityjoes/vaultify/main/scripts/install.sh | bashThe script downloads the latest release, installs the binary as ~/.local/bin/vaultify, and adds that directory to your shell PATH if needed. Open a new terminal and run:
vaultifyWindows (PowerShell)
irm https://raw.githubusercontent.com/securityjoes/vaultify/main/scripts/install.ps1 | iexThen open a new terminal and run vaultify.
Manual download: pre-built binaries (Windows, macOS Intel/ARM, Linux x86_64/ARM64), SHA256SUMS, and LICENSE are on each GitHub Release. Rename the binary to vaultify (or vaultify.exe), put it on your PATH, and run it from anywhere.
- The dashboard opens at
http://localhost:9471by default. - macOS users can also use the
.app.tar.gzbundle from the release page; the install script above is the simplest way to get a globalvaultifycommand.
That's it. Click Start Scan or Specific Folder, then in the generated report choose how to secure your secrets — Vaultify, Remove, or Junk.
- Scan - walks your filesystem, matches 30+ regex patterns (AWS keys, GitHub PATs, Slack tokens, OpenAI keys, private key blocks, etc.)
- Review - interactive table showing each unique secret, where it appears, and a redacted preview
- Decide - for each secret: Vaultify (move to 1Password/AWS/HashiCorp), Remove From Code (redact in place), or Dismiss
- Apply Decisions - secrets are moved to your vault with
op://references replacing the plaintext, or redacted withREDACTED_BY_VAULTIFY - Reports - track your remediation process with the generated reports. with each secret handle, reports are updated
- Vee - Vee is your Secret Agent. It's a BYOAI tuned to help you with the secrets management and provide you asisstance.
Inspect other features and let us know how you liked them
Using the Walkthrough you can find all the app features, including Vee, your Secret Agent, her FP Finder (requires AI model token), Generating reports, follow remediation, increase your secrets catalogue and more.
Take into mind that the app is still in the making and might introduce bugs. Feel free to report them
| Vault | Status | CLI |
|---|---|---|
| 1Password | Ready | op |
| AWS Secrets Manager | Experimental | aws |
| HashiCorp Vault | Experimental | vault |
| Doppler | Experimental | doppler |
Requires Go 1.22+.
# Current platform
go build -ldflags "-s -w -X github.com/vaultify/vaultify/internal/buildinfo.BuildVersion=0.3.0" -o vaultify ./cmd/vaultify
# Cross-compile all release targets into dist/ + SHA256SUMS
make all # Unix shell + Make
pwsh ./scripts/build-release.ps1 # Windows / PowerShell equivalentVaultify was made by researchers, for researchers. For more about us, visit JOES