Skip to main content
Secret detection uses pattern-based scanning to identify exposed credentials, API keys, and sensitive data in your codebase, git history, and configuration files.

What We Detect

API Keys & Tokens

AWS, Azure, GCP, GitHub, and 200+ services

Database Credentials

Connection strings and passwords

Private Keys

SSH keys and TLS certificates

Authentication Tokens

JWTs and OAuth tokens

Detection Methods

Pattern-Based Detection

Deterministic pattern matching using regex patterns for known secret formats and high-entropy string analysis. 
# AWS Access Key detected
aws_access_key_id = "AKIAIOSFODNN7EXAMPLE"
aws_secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

# Severity: Critical
# Recommendation: Rotate immediately

Contextual Analysis

Contextual analysis reduces false positives by examining code context. Placeholders like “your-api-key-here” are automatically excluded. View complete secrets support matrix →

Scan Coverage

Source Code

Scans all code files across supported languages: Python, JavaScript, TypeScript, Java, Go, Ruby, PHP, C/C++, C#, Shell scripts, and more.

Configuration Files

  • Environment files (.env, .env.local)
  • Config files (config.json, settings.yml)
  • CI/CD configs (.github/workflows, .gitlab-ci.yml)
  • Docker and Kubernetes configs

Git History

Secrets remain in git history even after removal. CodeThreat scans full commit history to detect past exposures. 
codethreat secrets scan --include-history

Secret Types

Cloud Provider Credentials

  • AWS: Access keys, session tokens, account IDs
  • Azure: Connection strings, storage keys, service principals
  • GCP: Service account JSON files, API keys

Third-Party Services

  • Development: GitHub, GitLab, NPM, Docker Hub tokens
  • Payment: Stripe, PayPal credentials
  • Communication: Slack, Twilio, SendGrid API keys
  • Monitoring: Datadog, Sentry, PagerDuty tokens

Remediation

Immediate Actions

  1. Revoke exposed credential via service provider
  2. Generate new credential
  3. Update all systems using the credential
  4. Remove secret from git history if publicly exposed

Secret Management

Integrate with secret management services:
  • HashiCorp Vault
  • AWS Secrets Manager
  • Azure Key Vault
  • GCP Secret Manager

Configuration

Configure secret detection in repository settings:
  • Enable/disable secret scanning
  • Set entropy threshold
  • Configure scan paths
  • Exclude test files and mock data

Best Practices

  • Never commit secrets to version control
  • Use environment variables or secret managers
  • Scan regularly on all branches
  • Rotate exposed credentials immediately
  • Audit secret access regularly

Next Steps

Project Settings

Configure secret detection

CI/CD Integration

Block secrets in pipeline