Triage & Response
Every secret.
Accounted for.
A central console for every secret detected across your codebase. Categorized, tracked, and monitored for rotation compliance.
Finding secrets is step one. Managing them is step two. codelake gives you a unified view of every API key, credential, token, and private key — with rotation tracking and re-verification after rotation.
8
Overdue rotation
12
Due soon
27
Compliant
AWS_SECRET_ACCESS_KEY
prod/config.env · 241 days old
STRIPE_SECRET_KEY
payments/env.js · 180 days old
GITHUB_TOKEN
ci/.github/workflows · 12 days old
Secrets Console
One place for all your secrets.
The Secrets Console gives you a bird's-eye view of every hardcoded secret across your entire organization. Filter by project, type, rotation status, or age. Drill into any secret to see where it's used, who owns it, and when it was last rotated.
| Secret | Type | Project | Location | Age | Rotation Status |
|---|---|---|---|---|---|
| AWS_SECRET_ACCESS_KEY | Infrastructure | acme-api | prod/config.env:3 | 241d | OVERDUE |
| STRIPE_SECRET_KEY | API Key | payments-svc | env.js:12 | 180d | OVERDUE |
| DB_PASSWORD | Database | user-svc | docker-compose.yml:8 | 82d | DUE SOON |
| GITHUB_TOKEN | OAuth Token | ci-pipeline | .github/workflows:15 | 12d | OK |
| RSA_PRIVATE_KEY | Private Key | auth-svc | certs/server.key:1 | 67d | DUE SOON |
Secret Categories
Categorized by type. Prioritized by risk.
codelake recognizes and categorizes 50+ secret formats. Each category has its own risk profile, recommended rotation policy, and remediation guidance.
API Keys
AWS, GCP, Azure, Stripe, Twilio, SendGrid, OpenAI, Firebase, and 30+ more API key formats. Each validated for format correctness.
Recommended rotation: 90 days
Database Credentials
MySQL, PostgreSQL, MongoDB, Redis connection strings and passwords. Detects credentials in config files, environment variables, and Docker compose files.
Recommended rotation: 60 days
Private Keys
RSA, ECDSA, Ed25519 private keys, PEM certificates, and PKCS#12 keystores. Highest risk category — immediate rotation recommended.
Recommended rotation: Immediately
OAuth Tokens
GitHub, GitLab, Slack, Google OAuth tokens and refresh tokens. Monitors for token expiration and scope overprivilege.
Recommended rotation: On expiry or 90 days
Infrastructure Secrets
Terraform state secrets, Kubernetes secrets in manifests, Docker registry auth, CI/CD pipeline tokens, and infrastructure automation credentials.
Recommended rotation: 90 days
High-Entropy Strings
Strings with high Shannon entropy that may be secrets but don't match known formats. Manual review recommended to reduce false positives.
Manual classification required
Rotation Tracking
Track rotation. Verify the fix.
Secret rotation isn't complete until the old secret is gone and the new one is verified. codelake tracks the full lifecycle — detection, rotation, re-verification — and alerts you if the old secret reappears.
-
update
Rotation Policies
Set rotation policies per secret category. 90 days for API keys, 60 days for database credentials, immediate for private keys.
-
notifications_active
Expiry Alerts
Get notified 14 days, 7 days, and 1 day before a secret's rotation deadline. Escalate overdue secrets to team leads.
-
verified
Re-Verification
After rotation, codelake re-scans to verify the old secret is removed and the new one isn't hardcoded. Rotation isn't done until re-verified.
-
share
Cross-Environment Detection
Detect when the same secret is used across multiple environments (prod, staging, dev). Flag shared secrets for immediate rotation.
Secret Detected
Jan 15, 2026 · AWS_SECRET_ACCESS_KEY in prod/config.env
Rotation Reminder Sent
Apr 2, 2026 · 14 days before 90-day deadline
Secret Rotated
Apr 10, 2026 · New key generated by sarah@acme.io
Re-Verification Passed
Apr 10, 2026 · Old key not found. New key not hardcoded.
Stop leaving secrets unmanaged.
codelake detects, categorizes, and tracks every secret in your codebase. With rotation policies, expiry alerts, and re-verification — no secret falls through the cracks.