v3.0.0 - Secrets Detection Engine
Secrets Detection Engine
The most critical capability for any organisation - a hardcoded secret is the breach.
What's New
- 60+ regex patterns across 10 provider categories (Cloud, AI/ML, Version Control, Payment, Communications, Cryptographic Keys, Database, Generic)
- Git history scan - catches secrets deleted from HEAD that still live in every past commit and every clone
- Shannon entropy analysis (4.6 bpc threshold) - detects generic secrets with no known pattern
- Blast radius assessment - every finding explains exactly what an attacker gains
- Secret redaction - only first 6 chars shown, full values never stored
- Integrated into main scan pipeline - runs automatically on every repo scan
- Standalone dashboard panel - scan any path or GitHub URL independently
Pattern Coverage
| Category | Providers |
|---|---|
| Cloud | AWS, Azure, GCP, DigitalOcean |
| AI / ML | Anthropic, OpenAI, Groq, HuggingFace, Cohere |
| Version Control | GitHub (5 token types), GitLab |
| Payment | Stripe, Square, Braintree |
| Communications | Slack (4 types), Twilio, SendGrid, Mailgun |
| Cryptographic Keys | RSA, EC, OpenSSH, PGP, PKCS#8, JWT |
| Database | MongoDB, PostgreSQL, MySQL, Redis |
| Generic | Hardcoded passwords, Bearer tokens, Basic Auth URLs |
Why Secrets Detection?
Every other vulnerability class requires exploitation. A hardcoded secret is already a breach - an attacker finds it, uses it, and they are authenticated and invisible in your logs within seconds.
Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy