Credential-handling risk report for vxcontrol/pentagi
phantomcreds detected repo-level code or deployment patterns that warrant maintainer review.
| Metric |
Value |
| Scan date |
2026-05-21 |
| Composite score |
0.350 |
| Findings |
1 |
| Issue-worthy findings |
1 |
| Discovery sources |
secret-path-deepseek-env |
| Exposed secret indicators |
[REDACTED:postgres://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode, [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode, [REDACTED:postgresql://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode |
Detected finding types: exposed_secret
Secret-bearing credential material appears committed in current repository files
- Severity:
high
- Confidence:
confirmed
- Summary: Current repository files appear to contain committed API keys or webhook-style credential material. 9 redacted secret indicators were found in fetched repository files. Evidence is redacted in the report output.
Evidence:
README.md:2447 - [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode=disable)]`docker-compose.yml:132 - [REDACTED:postgres://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode=disable]docker-compose.yml:227 - [REDACTED:postgresql://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode=disable].vscode/launch.json:14 - [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode=disable",].vscode/launch.json:134 - [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode=disable",].vscode/launch.json:155 - [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode=disable",]backend/cmd/installer/files/links/docker-compose-langfuse.yml:40 - [REDACTED:postgresql://${LANGFUSE_POSTGRES_USER:[REDACTED:-postg...res}]@langfuse-postgres:5432/${LANGFUSE_POSTGRES_DB:-langfuse}]backend/cmd/installer/files/links/docker-compose.yml:132 - [REDACTED:postgres://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode=disable]backend/cmd/installer/files/links/docker-compose.yml:227 - [REDACTED:postgresql://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode=disable]
LLM Fix Guide
Recommended remediation order:
- Revoke or rotate the exposed credential(s):
[REDACTED:postgres://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode, [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode, [REDACTED:postgresql://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode.
- Remove the committed secret material from the current default branch and replace it with environment-variable or secret-manager loading.
- If the secret existed in prior commits, rewrite history or invalidate the old credential so historical clones are harmless.
- Add secret-bearing files to
.gitignore and provide a safe template file such as .env.example instead of live credentials.
Suggested prompt for an LLM coding assistant:
Remove the exposed credential material from this repository without breaking runtime configuration.
Replace committed secrets with environment-variable loading or secret-manager integration.
Add or update ignore rules so secret-bearing files are not recommitted.
Preserve existing behavior, but migrate any checked-in .env, private-key, or service-account material to safe templates.
Assume the scanner evidence came from current files on the default branch, not from a full git-history scan.
Show the exact files changed and include a short post-fix verification checklist.
This report is based on current files fetched from the repository's default branch at scan time.
It does not by itself prove that older commits are clean or compromised.
This scan is evidence-first and probabilistic. It is not an accusation of malicious intent.
If any finding is incorrect or outdated, please reply with corrected context and exact file references.
Automated by phantomcreds.
Project repo · Created by James Sawyer
at JS Labs.
Credential-handling risk report for
vxcontrol/pentagiphantomcreds detected repo-level code or deployment patterns that warrant maintainer review.
Detected finding types:
exposed_secretSecret-bearing credential material appears committed in current repository files
highconfirmedEvidence:
README.md:2447 - [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode=disable)]`docker-compose.yml:132 - [REDACTED:postgres://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode=disable]docker-compose.yml:227 - [REDACTED:postgresql://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode=disable].vscode/launch.json:14 - [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode=disable",].vscode/launch.json:134 - [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode=disable",].vscode/launch.json:155 - [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode=disable",]backend/cmd/installer/files/links/docker-compose-langfuse.yml:40 - [REDACTED:postgresql://${LANGFUSE_POSTGRES_USER:[REDACTED:-postg...res}]@langfuse-postgres:5432/${LANGFUSE_POSTGRES_DB:-langfuse}]backend/cmd/installer/files/links/docker-compose.yml:132 - [REDACTED:postgres://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode=disable]backend/cmd/installer/files/links/docker-compose.yml:227 - [REDACTED:postgresql://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode=disable]LLM Fix Guide
Recommended remediation order:
[REDACTED:postgres://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode, [REDACTED:postgres://postgres:[REDACTED:[REDACTED]]@localhost:5432/pentagidb?sslmode, [REDACTED:postgresql://${PENTAGI_POSTGRES_USER:[REDACTED:-postg...res}]@pgvector:5432/${PENTAGI_POSTGRES_DB:-pentagidb}?sslmode..gitignoreand provide a safe template file such as.env.exampleinstead of live credentials.Suggested prompt for an LLM coding assistant:
This report is based on current files fetched from the repository's default branch at scan time.
It does not by itself prove that older commits are clean or compromised.
This scan is evidence-first and probabilistic. It is not an accusation of malicious intent.
If any finding is incorrect or outdated, please reply with corrected context and exact file references.
Automated by phantomcreds.
Project repo · Created by James Sawyer
at JS Labs.