Secret Detection

Your secrets belong
in a vault, not in code.

Hardcoded secrets are the #1 cause of data breaches. codelake finds them before attackers do.

From AWS keys to Stripe tokens, from Firebase credentials to high-entropy strings — codelake scans your entire repository, commit history, and CI/CD pipelines to surface every secret that should never have been committed.

Scan for secrets free Try FreeScan first
codelake scan --secrets .

$ codelake scan --secrets .

 

▸ Secret detection running...

  Scanning 1,847 files + 12,400 commits

  Pattern matching (50+ key formats)...

  Entropy analysis for unknown types...

 

CRITICAL  AWS Secret Access Key

  ↳ config/aws.js:12 · Last rotated: never

CRITICAL  Stripe Live Secret Key

  ↳ .env.production:8 · Committed in abc123f

HIGH     GitHub Personal Access Token

  ↳ scripts/deploy.sh:24 · Full repo scope

HIGH     High-entropy string (likely API key)

  ↳ src/services/api.ts:7 · Shannon entropy: 4.8

 

✓ 8 secrets found · 3 critical · 4 high · 1 medium

What We Detect

50+ secret types. Every major provider.

codelake recognizes specific key formats for all major cloud providers, SaaS platforms, and payment processors — plus catches unknown secrets with entropy analysis.

cloud

AWS

Access Key ID, Secret Access Key, Session Token, MWS Auth Token

cloud

Google Cloud

Service Account Key, API Key, OAuth Client Secret, Firebase Config

cloud

Azure

Storage Account Key, Connection String, Service Principal, SAS Token

payments

Stripe

Live/Test Secret Key, Publishable Key, Restricted Key, Webhook Secret

code

GitHub

Personal Access Token, OAuth Token, App Private Key, Deploy Key

smart_toy

OpenAI

API Key, Organization Key, Project Key

sms

Twilio

Account SID, Auth Token, API Key, API Secret

mail

SendGrid

API Key, SMTP Password

storage

Database

MySQL, PostgreSQL, MongoDB, Redis connection strings with credentials

vpn_key

SSH & Certificates

Private Keys (RSA, DSA, ECDSA, Ed25519), PEM certificates, PKCS8

token

JWT & OAuth

JWT Signing Secrets, OAuth Client Secrets, Bearer Tokens, Refresh Tokens

query_stats

High-Entropy Strings

Unknown key formats detected via Shannon entropy analysis for novel or custom secrets

How Detection Works

Three layers of detection. Near-zero false positives.

codelake combines pattern matching, entropy analysis, and contextual verification to find real secrets while filtering out test values, documentation examples, and placeholders.

pattern

Pattern Matching

Regular expressions tuned for each provider's key format. AWS keys start with AKIA, Stripe live keys start with sk_live_, GitHub tokens start with ghp_ — codelake knows them all.

AKIAIOSFODNN7EXAMPLE

sk_live_4eC39HqLyjWDarjtT1zdp7dc

ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

query_stats

Entropy Analysis

For unknown secret types, Shannon entropy analysis identifies high-randomness strings that look like API keys, tokens, or passwords — even formats we haven't seen before.

"hello_world" 2.1 — Low entropy
"aB3$kL9mN2xQ..." 4.8 — High entropy
verified

Contextual Verification

Not every string that looks like a key is a real secret. codelake checks surrounding context — variable names, file locations, comments, and test markers — to filter out false positives.

error AWS_KEY = "AKIA..." Real secret
check_circle // Example: AKIA... Filtered out

Git History Scanning

Deleted doesn't mean gone.

Removing a secret from your code doesn't remove it from git history. Every commit ever made still contains the secret — and attackers know exactly where to look.

  • check_circle

    Full commit history analysis

    Scans every commit, every branch, every merge — not just the current HEAD. Finds secrets that were committed and later removed.

  • check_circle

    Pre-commit hook integration

    Prevent secrets from ever being committed with codelake's pre-commit hook. Catches secrets before they enter your repository.

  • check_circle

    CI/CD pipeline scanning

    Block PRs that introduce new secrets. Integrates with GitHub Actions, GitLab CI, and Bitbucket Pipelines.

Secret Timeline

March 12, 2025 · commit a3f8c2d

Secret committed

AWS_SECRET_KEY added to config/aws.js

March 14, 2025 · commit 7b2e1a9

Secret removed from code

Deleted from config/aws.js — still in git history

March 15, 2025 · codelake scan

Secret detected by codelake

Found in commit a3f8c2d · Alert sent

March 15, 2025 · manual action

Secret rotated

Old key revoked, new key stored in AWS Secrets Manager

Rotation Tracking

Track secret age and rotation status.

Finding a secret is just the first step. codelake tracks when each secret was first committed, whether it's been rotated, and how long it's been since the last rotation.

schedule

Age Tracking

Know exactly how long each secret has been exposed. Secrets older than 90 days are automatically flagged as high priority for rotation.

sync

Rotation Reminders

Automated reminders when secrets approach your defined rotation policy. Integrates with Slack and email for timely notifications.

inventory

Secret Inventory

A complete inventory of every secret ever found across all your repositories — with status (active, rotated, revoked), location, and ownership.

Stop leaking secrets. Start scanning today.

Find every hardcoded secret in your codebase in under 2 minutes. Includes git history scanning and pre-commit hooks. No credit card required.

Start free — find your secrets View pricing