Secu Platform Documentation
Log in

Secret Detection

The secret detection scanner analyses repository contents for accidentally committed credentials, API keys, certificates, and other sensitive material. It runs automatically on every analysis and reports findings with sanitised output — actual secret values are never exposed in results.

What it detects

The scanner recognises secret patterns across major categories:

Cloud provider credentials

AWS access keys and secret keys, Azure storage keys and connection strings, Google Cloud service account keys, DigitalOcean and Heroku API tokens.

Authentication tokens

GitHub personal access tokens, GitLab access tokens, Slack bot and app tokens, JWTs, and generic bearer tokens.

API keys

Stripe secret and publishable keys, Twilio credentials, SendGrid API keys, and other third-party service keys.

Database credentials

Connection strings for MongoDB, PostgreSQL, MySQL, Redis, and Elasticsearch that include embedded passwords.

Cryptographic keys

SSH private keys (RSA, DSA, ECDSA), PEM-encoded TLS certificates, and PGP/GPG private key blocks.

How it works

When an analysis is triggered, the scanner downloads the repository archive, extracts it into a temporary directory, and runs a pattern-based scan across all text files. The scan operates on the working tree without requiring a Git history — it analyses the current state of every file.

Each finding includes the file path, line number, the rule that matched, and an entropy score indicating the randomness of the detected value. File paths are automatically converted to repository URLs so findings link directly to the relevant source code.

All actual secret values are replaced with masked placeholders before results are stored or displayed. Source code is deleted from the worker immediately after scanning completes.

Output

Each finding in the report contains:

  • File — a direct link to the file and line in the repository
  • Rule — the identifier of the pattern that matched (e.g. aws-access-token)
  • Line range — the start and end line where the secret was found
  • Entropy — a Shannon entropy score indicating how random the matched value is
  • Fingerprint — a unique identifier for deduplication across successive scans