loading
Loading content
loading
Also known as secret detection
Secrets scanning hunts for credentials that ended up where they should not: an API key committed to a repository, a database password baked into a config file, a cloud access token left in a build log. Scanners match against regex patterns for known key formats (AWS keys start with AKIA, Slack tokens with xoxb-), measure string entropy to catch random-looking secrets, and crucially walk git history, since a secret deleted in the latest commit still lives in earlier ones.
This matters because a leaked key is a working credential an attacker can use directly. No exploit chain required: they find the token, authenticate, and move. Public repositories get scraped within minutes of a push, so the window between commit and abuse is short. Finding and revoking the secret first is the only reliable fix, since the exposed value must be treated as burned.
Secrets surface across many surfaces, which is why scanning pairs with image scanning and broader container security for layers and environments, with metadata analysis for embedded data, and with google dorking for keys indexed on the public web.
In Trickest you can scan repositories, images, and crawled pages in one workflow, then route any hit to an alert so the owning team revokes the credential fast.
Related terms