thiel scans your source code for accidentally committed API keys, tokens, and private keys — and blocks them at git push before anything reaches the remote.
“every great business is built on a secret. keep yours out of git.”
$ git push origin main
› thiel scanning 247 git-tracked files...
✗ src/config/aws.py:14
AWS Secret Access Key
AWS_SECRET = "wJalrXUtnFEMI/K7MDENG/bPxR..."
✗ .env.example:3
OpenAI API Key
OPENAI_KEY=sk-proj-abc123def456ghi789jkl...
✗ scripts/deploy.sh:8
GitHub Personal Access Token
TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxx
3 secrets found. push blocked.
error: failed to push some refs to originaws, openai, anthropic, github, stripe, slack, twilio, sendgrid, mailgun, huggingface, databricks, and more.
scans only tracked files by default. pre-push hook scans just the diff being pushed — not your whole tree.
installs as a git pre-push hook with one command. if a secret is found, the push is rejected before the remote ever sees it.
ignores obvious dummies like your_api_key, example, changeme, xxxxxx — so you only see signal, not template noise.
rsa, ec, dsa, openssh, and generic hardcoded passwords. catches the long-tail formats grep would miss.
single python binary. skips binaries, lock files, and build artifacts automatically. no config file to maintain.
$ pip install thielsingle command. python 3.11+, no other dependencies. drops a `thiel` binary on your path.
$ thiel installregisters a git pre-push hook in the current repo. every future `git push` is scanned automatically.
✓ no secrets found — push allowedscan runs on the diff being pushed. clean push goes through. dirty push is blocked with a clear file:line report.
pip install thielpipx install thieluv tool install thiel