diff --git a/lib/file-action-issue.sh b/lib/file-action-issue.sh
index 834cb7b..f9458b5 100644
--- a/lib/file-action-issue.sh
+++ b/lib/file-action-issue.sh
@@ -17,7 +17,7 @@ file_action_issue() {
   FILED_ISSUE_NUM=""
 
   # Secret scan: reject issue bodies containing embedded secrets
-  if ! scan_for_secrets "$body" 2>/dev/null; then
+  if ! scan_for_secrets "$body"; then
     echo "file-action-issue: BLOCKED — issue body for '${formula_name}' contains potential secrets. Use env var references instead." >&2
     return 4
   fi
diff --git a/lib/secret-scan.sh b/lib/secret-scan.sh
index d680e88..c06e407 100644
--- a/lib/secret-scan.sh
+++ b/lib/secret-scan.sh
@@ -79,6 +79,12 @@ scan_for_secrets() {
 redact_secrets() {
   local text="${1:-$(cat)}"
 
+  # Replace AWS AKIA keys
+  text=$(printf '%s' "$text" | sed -E 's/AKIA[0-9A-Z]{16}/[REDACTED]/g')
+
+  # Replace Ethereum private keys (0x + 64 hex chars)
+  text=$(printf '%s' "$text" | sed -E 's/0x[0-9a-fA-F]{64}/[REDACTED]/g')
+
   # Replace long hex strings (32+ chars) not preceded by $ (env var refs)
   text=$(printf '%s' "$text" | sed -E 's/([^$]|^)([0-9a-fA-F]{32,})/\1[REDACTED]/g')