Skip to main content
ScanGap
Coverage audit · OpenAICoverage audit · Beyond your AppSec firm

Your AppSec firm isn't tracking new API key formats

A standalone $99 coverage audit your security review doesn't replace — focused on modern provider patterns slipping through annual assessments.

  • Curated patterns
  • $99 launch price
  • No charge today
gitleaks.toml · coverage diff
8 missing
  • OpenAIsk-proj-•••covered
  • Anthropicsk-ant-api03-•••covered
  • Replicater8_•••covered
  • ElevenLabssk_•••covered
  • Cohereco-•••covered
  • Mistral•••mistral•••covered
  • Groqgsk_•••covered
  • Hugging Facehf_•••covered

Before audit: 0 of 8 covered, 8 missing

# your gitleaks.toml — current state
# 8 modern AI provider patterns NOT present.

[[rules]]
id          = "generic-api-key"
description = "Generic API Key"
regex       = '''(?i)api[_-]?key.{0,20}['"][A-Za-z0-9]{20,}['"]'''
# (no AI-provider-specific rules)

Click below to see the patched config.

Coverage scope

Every audit checks all eight providers

8 / 8 providers · live coverage

These are the AI-provider key formats most likely to be leaking from a 2026 codebase — and the ones community scanner rule packs are slowest to refresh.

  • audited
    OpenAIsk-proj-132 chars + T3BlbkFJ suffix
  • audited
    Anthropicsk-ant-api03-93 base64 chars + AA
  • audited
    Replicater8_37 alphanumeric chars
  • audited
    ElevenLabssk_48 hex chars
  • audited
    Cohereco-40 alphanumeric chars
  • audited
    Mistral···.mistral32 chars + .mistral
  • audited
    Groqgsk_52 alphanumeric chars
  • audited
    Hugging Facehf_34 alphanumeric chars

Hover any provider for the full key-format spec we validate against.

Why this audit, now

The gap your scanner doesn't flag is the one that hurts.

Reserve before your next renewal cycle so the report is on hand when the questionnaire lands. Reservations lock in the $99 launch price before the live checkout opens.

gap 01

Annual AppSec reviews don't refresh scanner pattern coverage between engagements.

gap 02

Cyber insurance questionnaires ask 'do you scan for secrets' — not 'do you scan for the keys you actually use'.

gap 03

SOC 2 auditors check that scanning exists, not whether the rules are current.

What you receive

A point-in-time coverage audit you can attach to a security questionnaire or hand to your AppSec firm as scoped follow-up work.

Designed as a signed PDF report with a coverage score and a specific rule-addition checklist — not a tool subscription. Coverage rules are curated from real provider docs and unit-tested before shipping; we use these keys ourselves, so missing patterns get caught against our own configs first.

01 · Diagnosis

A coverage score for every modern AI provider

We compare your scanner's active rules against eight current AI-provider key formats and produce a side-by-side coverage map. You see, in one diagram, which providers you cover and which you don't.

  • Side-by-side coverage map for all 8 providers
  • One coverage score (0–100), unambiguous
coverage map · diagnosis
avg gap 0%
  • OpenAI
    88% gap
  • Anthropic
    100% gap
  • Replicate
    65% gap
  • ElevenLabs
    82% gap
  • Cohere
    76% gap
  • Mistral
    92% gap
  • Groq
    100% gap
  • Hugging Face
    59% gap

coral = current gap amber tick = where ScanGap rules would land

02 · Deliverable

A 2–3 page PDF, not a dashboard you'll forget about

The report will include the coverage score, the specific gaps we found, and the exact TOML/YAML rule snippets that close each one — copy-paste ready. No login, no dashboard, no recurring bill.

  • TOML / YAML / JSON rule snippets ready to paste
  • Signed PDF — attachable to any questionnaire
Preview of a ScanGap audit report on a dark dashboard surface — a coverage map of eight AI provider rows with amber and moss indicators and coral missing-pattern tags, alongside a 62% coverage score donut and a Gitleaks rule snippet highlighted in amber.
03 · Methodology

Curated patterns against a maintained checklist

Coverage rules are documented from each provider's real key format and unit-tested against live fixtures — not LLM-generated guesses. We use these keys ourselves, so missing patterns get caught against our own configs first.

  • Pattern set updated when vendors ship new formats
  • Every regex has a unit-tested fixture
Top-down hierarchical diagram showing a key-pattern string fanning into multiple moss-green matched rule paths with one coral missed match.
Curated, not generated

We use these keys ourselves. The library comes from reading provider docs and breaking our own keys — not from prompting an LLM.

You already know what happens when you ask GPT for “a regex matching OpenAI keys”: a confident-looking pattern that over-matches generic strings or misses the actual format. Every regex in our coverage library is documented from each provider's real key spec and unit-tested against a real fixture before it ships in your report.

0providers documented
0LLM-generated regexes
0%fixtures unit-tested
Common questions

Honest answers to the questions we hear most.

Still on the fence? Drop your question in the waitlist form above — a real person replies, usually within a day.

Doesn't my AppSec firm handle this?

Almost certainly not between engagements. Annual penetration tests and security reviews don't refresh scanner rule packs as new providers ship new key formats. ScanGap is the gap between those reviews — a point-in-time coverage audit you can hand back to them, or staple to a questionnaire.

Isn't GitGuardian free?

GitGuardian's free tier is excellent at what it does, but its public detector library is community-maintained and frequently lags behind new provider formats (Anthropic's 2026 key prefix, OpenAI's project keys, Mistral and Groq's launches). We audit whatever scanner you already run — including GitGuardian — against a current AI-provider pattern set.

What if my scanner config doesn't have AI-key rules at all?

That's the most common finding. The audit lists every provider you're missing alongside the exact rule blocks for your scanner — Gitleaks TOML, Semgrep YAML, or TruffleHog JSON — so you can paste them straight into your existing config. Same scanner, same workflow, just complete coverage.

What scanners do you support?

Gitleaks, TruffleHog, Semgrep, and GitHub Secret Scanning (custom patterns). If you run something else, reserve with a note and we'll confirm whether your config is supported before the launch email goes out.

Why $99 and not a subscription?

Because the audit is a discrete deliverable, not a tool. One report, one paste, done — no login, no monthly bill, no dashboard to babysit. Continuous monitoring exists as a separate $99/mo tier you can opt into on the reservation form if you'd rather subscribe than re-audit.

When does this launch?

ScanGap is in a 7-day private validation window right now. If reservations clear the threshold we set internally, we build the parser, pattern library, and automated report generator across the following two weeks — so the live checkout email lands ~2–3 weeks after you reserve. If we decide not to build, you get one short email saying so and your reservation is closed out. No card is taken either way until the live product ships.

Am I being charged today?

No. Reserving puts your work email on the launch list at the $99 price and fires a single intent signal we use to decide whether to build. No payment method is collected on this site. The first time a card is involved is the live checkout email we send when the audit goes live.

Ready when you are

Your AppSec firm isn't tracking new API key formats

A point-in-time coverage audit you can attach to a security questionnaire or hand to your AppSec firm as scoped follow-up work.

or join the waitlist above · no account required
ScanGap

Private validation: ScanGap is in a 7-day demand test. No card is taken. We email each reservation once with the live checkout when the audit ships — or once with a short note if we decide not to build it.