Skip to content

v3.0.0 - Secrets Detection Engine

Choose a tag to compare

@OmarRao OmarRao released this 16 Jun 16:33

Secrets Detection Engine

The most critical capability for any organisation - a hardcoded secret is the breach.

What's New

  • 60+ regex patterns across 10 provider categories (Cloud, AI/ML, Version Control, Payment, Communications, Cryptographic Keys, Database, Generic)
  • Git history scan - catches secrets deleted from HEAD that still live in every past commit and every clone
  • Shannon entropy analysis (4.6 bpc threshold) - detects generic secrets with no known pattern
  • Blast radius assessment - every finding explains exactly what an attacker gains
  • Secret redaction - only first 6 chars shown, full values never stored
  • Integrated into main scan pipeline - runs automatically on every repo scan
  • Standalone dashboard panel - scan any path or GitHub URL independently

Pattern Coverage

Category Providers
Cloud AWS, Azure, GCP, DigitalOcean
AI / ML Anthropic, OpenAI, Groq, HuggingFace, Cohere
Version Control GitHub (5 token types), GitLab
Payment Stripe, Square, Braintree
Communications Slack (4 types), Twilio, SendGrid, Mailgun
Cryptographic Keys RSA, EC, OpenSSH, PGP, PKCS#8, JWT
Database MongoDB, PostgreSQL, MySQL, Redis
Generic Hardcoded passwords, Bearer tokens, Basic Auth URLs

Why Secrets Detection?

Every other vulnerability class requires exploitation. A hardcoded secret is already a breach - an attacker finds it, uses it, and they are authenticated and invisible in your logs within seconds.


Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy