← All tools
AI Agents · Developer Tools

Trestle

Catches the passwords and API keys accidentally left in your code, before a leak costs you customers or cash

A local-first secret scanner that reads your code structurally, not just by pattern, so it catches secrets that do not look like secrets. Plugs straight into the AI coding loop via MCP.

Screenshot of the Trestle website

Trestle is a secret scanner that catches the passwords and API keys you accidentally leave in your code, before a leak turns into a customer or cash problem. What sets it apart is how it looks. Instead of only matching text patterns, Trestle parses each file and reads values together with the field names they belong to.

That structure-aware approach means it catches secrets that do not look like secrets. Hashed passwords, database passwords that are just ordinary words, credit card numbers, and crypto recovery phrases all get flagged where a pattern scanner would walk straight past them.

The Pro version goes a step further and detects secrets exposed to the browser, like API keys and config values that get bundled into client-side code where your end users could see them.

Privacy is a core design choice. Trestle runs fully local by default, with no network calls, no account, and no telemetry, which makes it usable in air-gapped and sensitive environments. An optional separate component can make network requests to check whether a found secret is still active.

It is built to live inside the AI coding loop, with MCP integration for assistants like Claude Code, Cursor, Copilot, and Codex, plus detailed fix guidance for both AI and humans on each detected secret in the Pro version.

Getting started is quick. One command installs a pre-commit hook so the scan runs before any commit, and there is a native VS Code extension alongside LSP support for editors like Neovim, Helix, Zed, and the JetBrains IDEs.

It is built for people writing and shipping code, so non-technical users and teams wanting a central, org-wide managed platform are not the target. For solo founders and developers who want strong secret detection right in their workflow, it is a sharp fit, and the core is free.

What we like

  • Structure-aware detection parses each file and reads values alongside their field names, catching secrets that pattern matchers miss, like hashed passwords, plain-word database passwords, card numbers, and crypto recovery phrases
  • Pro version flags secrets exposed to the browser, such as API keys bundled into client-side code where users could see them, which text-pattern scanners do not catch
  • Fully local by default with no network, account, or telemetry, so it suits air-gapped and sensitive environments, plus an optional component to check whether a found secret is still active
  • Built for the AI coding loop with MCP integration for Claude Code, Cursor, Copilot, and Codex, and fix guidance for each detected secret in the Pro version
  • Easy to install with a one-command pre-commit hook, a native VS Code extension, and LSP support for Neovim, Helix, Zed, and JetBrains IDEs

What to watch

  • Not for teams needing a central SaaS platform, org-wide dashboard, policy enforcement, role-based access, or compliance reporting, since Trestle is local-first and runs in your own environment
  • Only scans local files on disk, such as a working copy or checked-out repo and its git history, not cloud storage, databases, production systems, SaaS apps, wikis, or chat and log platforms
  • Not a vault or secrets manager, it finds and helps you rotate secrets rather than storing them
  • Not for non-technical users, it lives in the development workflow of editors, commits, and CI

Try Trestle

Free · Free tier available.

Visit Trestle →