LocalMask scans your repo, masks every secret, organizational data, and PII into safe tokens, and lets you share code with AI — without leaking passwords, internal hostnames, or company details.
LocalMask runs entirely on your machine. It scans your repo, masks every credential, key, piece of PII, and organizational data into reversible tokens, then sends only safe tokens to Claude, GPT, or Gemini. Answers come back and get rehydrated locally — you stay in full control, and the real secrets never leave your local environment.
# payments-service/.env — sent to ClaudeDATABASE_URL=postgres://payments_rw~[DB_USER_0]~:pV9$kQ2!zR~[PASSWORD_0]~@db-prod-01.acme.internal~[HOST_0]~:5432~[PORT_0]~/payments~[DB_NAME_0]~STRIPE_SECRET_KEY=sk_live_51MspeZv8Klo2CqR7xY~[API_KEY_0]~JWT_SIGNING_KEY=hs256-9f3a7c1e8b2d4061~[API_KEY_1]~AWS_ACCESS_KEY_ID=AKIA5J7QX9P2M4RTUVWX~[AWS_KEY_0]~ONCALL_EMAIL=dana.cohen@acme-bank.com~[EMAIL_0]~INTERNAL_API=https://vault.acme.internal~[HOST_1]~/v2
~[TOKEN]~Free & open source on GitHub ↗ — run it entirely offline with the CLI + MCP server.
Annual licenses, validated offline (no monthly re-activation, no phone-home). Keys are per seat.
Then localmask publish <scan> <masked-repo-url> creates a private masked
git mirror your AI tools can safely read. Once we're on PyPI you'll also be able to
pip install localmask.
Works with GitHub, GitLab, Bitbucket, self-hosted git & Google Secure Source Manager.
Tokens are handled via GIT_ASKPASS — never in a URL, process args, or
.git/config — and only masked content is ever pushed. In free you use your
own AI (paste the masked files or point it at the mirror); Pro adds built-in Ask-AI + the proxy.
Full guide & security on GitHub →
100% local. 100% your control. We're opening a small private beta — leave your email and we'll reach out when it's ready.