CleanMyPrompt
2026-05-22CleanMyPrompt Team3 min read

Introducing the CleanMyPrompt CLI — Scan and Redact Secrets in Your Git Workflow

Stop leaking API keys and PII into version control. The CleanMyPrompt CLI scans, redacts, and compresses files before they ever touch your codebase — with git pre-commit hooks, CI/CD support, and SARIF output.

clisecuritysecretsgitdevops

The Problem: Secrets Don't Stay Secret

It happens constantly. A developer pastes a quick test snippet — OPENAI_API_KEY=sk-... — and commits it. By the time it's noticed, it's in the history, possibly in a CI log, potentially scraped by bots. The GitHub Secret Scanning alert fires at 2am.

Most secrets-in-code tools focus on detection. They scan, alert, and leave the remediation to you. The CleanMyPrompt CLI both detects and fixes — automatically replacing secrets with safe, searchable placeholders before they ever leave your machine.

What Is the CleanMyPrompt CLI?

cleanmyprompt is a zero-dependency Node.js CLI (TypeScript, bundled to a single file) that you install once and forget about:

npm install -g cleanmyprompt

It gives you five commands:

Command What it does
cmp scan <file> Detects secrets, PII, and API keys — outputs a findings table
cmp fix <file> Redacts in-place, replacing values with [OPENAI-KEY], [EMAIL], etc.
cmp squeeze <file> Compresses tokens (removes whitespace, comments, redundant syntax)
cmp install-hook Installs a git pre-commit hook in your repo
cmp uninstall-hook Removes the hook

The Secret Categories

The CLI uses three priority tiers:

HIGH — Secrets & Tokens

  • OpenAI, Anthropic, Google, AWS, GitHub, Slack, Stripe, Twilio API keys
  • Generic bearer tokens and base64-encoded credentials
  • Private key PEM headers

MEDIUM — PII

  • Email addresses, phone numbers, SSNs, credit card numbers, IBANs

LOW — Code Patterns

  • Hardcoded variable assignments like api_key = "..." or process.env.SECRET = "..."

When a high-priority finding overlaps with a low-priority one, the high-priority redaction wins — so you never see a false positive like [HARDCODED-SECRET] swallowing an Anthropic key.

Why the Pre-Commit Hook Changes Everything

The real power isn't the scan command — it's the git hook:

cd your-project
cmp install-hook

This writes a .git/hooks/pre-commit script. Every time you git commit, the hook scans all staged files. If secrets are found, the commit is blocked and you see exactly what was caught:

[CleanMyPrompt] Scanning staged files...

  secrets.ts
  ✗ OPENAI-KEY      HIGH   Line 3
  ✗ ANTHROPIC-KEY   HIGH   Line 7
  ✗ EMAIL           MEDIUM Line 12

[CleanMyPrompt] ⚠ Commit blocked — 3 secrets found. Run `cmp fix <file>` to redact.

No configuration, no YAML, no cloud account. It just works.

CI/CD and SARIF Output

For teams using GitHub Actions, the CLI supports SARIF output — the standard format that GitHub's Security tab understands:

cmp scan src/ --format sarif > results.sarif

Drop this into your workflow and secrets findings appear as code scanning alerts, with file, line, and severity — viewable inline on pull requests.

# .github/workflows/secrets-scan.yml
- name: Scan for secrets
  run: npx cleanmyprompt scan src/ --format sarif > results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Works On What You Already Have

The CLI handles TypeScript, JavaScript, Python, Go, .env files, JSON, YAML, and plain text — anything where text patterns can be matched. It's not language-aware (no AST parsing), which means it's fast and works on any file format.

One practical use: before you share a debug log, error trace, or config dump with your team:

cmp scan debug.log
cmp fix debug.log
cat debug.log   # now safe to share

Token Squeeze: Cut Costs Before You Prompt

Alongside security, the CLI includes a token squeezer. If you're batch-processing files to send as context to an LLM, squeeze first:

cmp squeeze context.ts --level aggressive
# Before: 2,847 tokens
# After:  1,391 tokens (51% reduction)

It removes comments, strips unused imports, collapses whitespace, and deduplicates repeated patterns. At scale — running a context window over thousands of files — this pays for the install in the first hour.

Free for Personal Use

The CLI is free for personal use, open-source projects, and individual developers. No API key, no account, no telemetry.

For teams using it in a commercial product, CI pipeline, or as part of a paid service — a commercial license is required. See the pricing page for details.

Get Started

npm install -g cleanmyprompt

# Scan a file
cmp scan myfile.ts

# Redact secrets
cmp fix myfile.ts

# Install the git hook in your current repo
cmp install-hook

Full documentation and all commands: cleanmyprompt.io/cli

If you hit a bug or have a feature request, open an issue — or run cmp scan on your own codebase and let us know what you find.

Try CleanMyPrompt

Strip PII, compress tokens, and clean text for AI — 100% in your browser. No sign-up required.

Try It Free
← Previous

How to Cut Your Copilot and ChatGPT Token Costs by 50% — Without Losing Meaning

Related Articles

2026-05-22

How to Cut Your Copilot and ChatGPT Token Costs by 50% — Without Losing Meaning

Token costs add up fast. Here's a concrete, measurable approach to compressing prompts and code context before you send them to any LLM — using the CleanMyPrompt CLI and VS Code extension.

2026-05-22

Introducing CleanMyPrompt for VS Code — Stop Leaking Secrets to GitHub Copilot

Every time you paste code into GitHub Copilot Chat or send context via Copilot, you might be sending API keys and PII with it. The CleanMyPrompt VS Code extension fixes this silently, right in your editor.

2026-05-02

EU AI Act Readiness Checklist for Teams Using ChatGPT, Claude, and Gemini

A practical May-August 2026 checklist to reduce legal and security risk when employees use AI prompts with personal or sensitive data.

All posts