Mac App · Developer Security

Your AI chats
might be leaking secrets

Sieve scans Claude Code, Cursor, VS Code, Windsurf, and Codex history for leaked API keys, tokens, and passwords — before they cause damage. All scanning runs locally on your Mac.

⌘ Download on the Mac App Store Try Vibe Scan →
6 AI tools scanned
0 bytes sent off-device
100+ secret patterns detected
Touch ID vault protection
$ sieve scan ~/.claude
213 sources scanned
! stripe-secret-key  sk-live-****
! github-pat        ghp_****
2 findings · vault ready
Coverage

Every AI assistant you use

Sieve knows where each tool stores its chat history and scans all of them in one pass.

🤖

Claude Code

Scans ~/.claude/ for secrets that ended up in prompts, tool calls, or file pastes.

💻

Cursor

Reads Cursor's Application Support SQLite databases where chat history is persisted.

📎

VS Code Copilot

Scans both VS Code and VS Code Insiders chat history stored in .vscdb files.

💨

Windsurf

Covers Windsurf's Application Support directory where conversation context is saved.

🧠

Codex

Scans ~/.codex/ for secrets that leaked through Codex CLI sessions.

📄

.env Files

Scans project directories you configure for .env files with exposed credentials.

How it works

Scan. Identify. Secure.

No setup required. Grant access to your AI tool folders once, then Sieve handles the rest.

1

Grant Access Once

On first launch, click Grant Access for each AI tool. A standard Open dialog pre-navigated to the right folder — you click Open once, never asked again.

2

Scan Runs Automatically

Sieve scans chat databases and .env files, matching 100+ secret patterns derived from Gitleaks rulesets — all on-device, no cloud.

3

Review Findings

Findings are shown with redacted previews — never the raw value. Each finding links to the source file, rule, and rotation status.

4

Store in Vault

Rotate your leaked key and store the new value in Sieve Vault — backed by macOS Keychain. Copying requires Touch ID.

Features

More than a scanner

Sieve is a full secrets management workflow — from detection to rotation to secure storage.

🔒

Touch ID Vault

Store rotated secrets in macOS Keychain. Copy them with Touch ID or device password. Raw values are never displayed — copy only.

🧹

SQLite Redaction

Redact secrets directly from VS Code chat database files in place. Sieve automatically backs up the database before making any changes.

🤖

MCP Integration

Local MCP server for Claude Code. Let Claude query your findings, check secret exposure, and run commands with vault-injected credentials.

📊

Rotation Tracking

Mark secrets as rotated, revoked, or rotation-due. Track which findings have been handled and which still need attention.

🔎

100+ Detection Rules

Detects Stripe keys, GitHub PATs, AWS credentials, OpenAI keys, Anthropic keys, database URLs, JWT secrets, and dozens more.

📱

Also Try Vibe Scan

Scan publicly deployed web apps for exposed secrets. Great for checking your own vibe-coded apps before sharing. vibe-scan.app →

Privacy

Your secrets stay secret

Sieve is built by a security tool for developers — privacy is non-negotiable.

📵 No network requests Scanning runs 100% on your Mac
🔑 Keychain only Secrets stored in macOS Keychain, never in the database
👮 No account needed No email, no sign-in, no cloud sync
🧪 Fingerprints only Database stores HMAC fingerprints, never plaintext