CleanMyPrompt
2026-05-22CleanMyPrompt Team3 min read

Introducing CleanMyPrompt for VS Code — Stop Leaking Secrets to GitHub Copilot

Every time you paste code into GitHub Copilot Chat or send context via Copilot, you might be sending API keys and PII with it. The CleanMyPrompt VS Code extension fixes this silently, right in your editor.

vscodecopilotsecuritysecretside

You're Probably Leaking Secrets to Your AI Coding Assistant

When you use GitHub Copilot Chat, you typically paste context — a file, a function, a config snippet. If that context contains an API key, a database password, or a customer email, it goes straight to the model.

The same is true for other AI-in-the-editor tools: Cursor, Cline, Windsurf, Tabnine. They all operate on whatever text is in your editor.

The CleanMyPrompt VS Code extension sits between your file and your AI assistant. It scans open files, highlights findings inline, and lets you redact with one click — before you paste anything.

How It Works

Install from the VS Code Marketplace by searching CleanMyPrompt (publisher: cleanmyprompt), or install the VSIX directly.

Once installed, you get three capabilities:

1. Inline Diagnostics — See Secrets Highlighted in Real Time

Open any file and CleanMyPrompt immediately underlines detected secrets with diagnostic markers. Hover over the underline and you see:

  • The finding type (OPENAI-KEY, EMAIL, ANTHROPIC-KEY, etc.)
  • The severity (HIGH / MEDIUM / LOW)
  • A hint: "Run 'CMP: Fix File' to redact"

This is powered by the VS Code diagnostics API — the same mechanism ESLint uses. It integrates seamlessly with the Problems panel (Cmd+Shift+M).

2. One-Command Redaction

Open the command palette (Cmd+Shift+P) and run:

  • CMP: Scan File — shows findings for the current file in the Problems panel
  • CMP: Fix File — replaces all secrets in-place with safe placeholders
  • CMP: Squeeze File — compresses tokens (removes comments, unused imports, whitespace)
  • CMP: Fix All Open Files — sweeps all open editor tabs at once

Redacted values look like this in your code:

const client = new OpenAI({ apiKey: "[OPENAI-KEY]" });
const client = new Anthropic({ apiKey: "[ANTHROPIC-KEY]" });
const email = "[EMAIL]";

The placeholders are clearly labeled and machine-reversible — you know exactly what was there.

3. Scan Before Copying Context to Copilot

The recommended workflow:

  1. Open the file you're about to use as Copilot context
  2. Run CMP: Scan File — see the findings
  3. Run CMP: Fix File — redact them
  4. Now paste safely into Copilot Chat or reference the file

Or, if you want a clean workspace every session:

  1. Run CMP: Fix All Open Files once
  2. Everything is redacted, then proceed with your Copilot session

What Gets Detected

The extension uses the same detection engine as the CLI, with three priority tiers:

HIGH (always redacted first):

  • OpenAI keys (sk-...), Anthropic keys (sk-ant-...), Google AI, AWS, GitHub tokens
  • Generic bearer tokens, base64 credentials
  • Private key PEM headers (-----BEGIN RSA PRIVATE KEY-----)

MEDIUM:

  • Email addresses, US phone numbers, SSNs, credit card numbers, IBANs

LOW:

  • Hardcoded variable assignments (SECRET_KEY = "...", process.env.TOKEN = "...")

The engine uses two-pass deduplication — when a HIGH finding overlaps a LOW one, HIGH always wins. You won't see a generic [HARDCODED-SECRET] tag when the value is actually an Anthropic key.

It Doesn't Touch What It Shouldn't

The extension includes negative-lookahead patterns that skip already-redacted values. If you run CMP: Fix File and then scan again, you'll get zero findings — because [OPENAI-KEY] is not treated as a secret. Re-running fix is idempotent.

Token Squeeze in the Editor

If you're using Copilot for code review or explanation, you often paste large files as context. The squeeze command removes noise before it counts against your context window:

  • Strips single-line and block comments
  • Removes unused import statements (supports import Default, import { Named }, and import Default, { Named } forms)
  • Collapses excessive blank lines
  • Deduplicates repeated text blocks

Result: a file that costs 40–50% fewer tokens to send as context — measurable savings if you're on a usage-based Copilot plan.

Privacy: Your Code Never Leaves Your Machine

The extension processes everything locally. No code, no file contents, no metadata is sent to CleanMyPrompt servers. The extension has no telemetry, no analytics, no network calls of its own. It reads your file, processes it, writes it back. That's it.

Free for Personal Use

The extension is free for individual developers and personal use. If your team or organization deploys it across an engineering org — as part of a standardized developer toolchain — a commercial license applies. See pricing.

Install It Now

Search for CleanMyPrompt in the VS Code Marketplace, or go to cleanmyprompt.io/vscode for the direct link and full documentation.

The extension is version 1.1.1, which includes all current bug fixes: correct Anthropic key tagging, full unused-import stripping, false-positive suppression on already-redacted files, and priority-correct deduplication.

If Copilot is part of your daily workflow, this is the one extension worth installing before anything else.

Try CleanMyPrompt

Strip PII, compress tokens, and clean text for AI — 100% in your browser. No sign-up required.

Try It Free
← Previous

EU AI Act Readiness Checklist for Teams Using ChatGPT, Claude, and Gemini

Next →

How to Cut Your Copilot and ChatGPT Token Costs by 50% — Without Losing Meaning

Related Articles

2026-05-22

Introducing the CleanMyPrompt CLI — Scan and Redact Secrets in Your Git Workflow

Stop leaking API keys and PII into version control. The CleanMyPrompt CLI scans, redacts, and compresses files before they ever touch your codebase — with git pre-commit hooks, CI/CD support, and SARIF output.

2026-05-22

How to Cut Your Copilot and ChatGPT Token Costs by 50% — Without Losing Meaning

Token costs add up fast. Here's a concrete, measurable approach to compressing prompts and code context before you send them to any LLM — using the CleanMyPrompt CLI and VS Code extension.

2026-05-02

EU AI Act Readiness Checklist for Teams Using ChatGPT, Claude, and Gemini

A practical May-August 2026 checklist to reduce legal and security risk when employees use AI prompts with personal or sensitive data.

All posts