Detect Secrets, Keys, and Exposed Credentials in Code

Secrets detection scans source code and git history for exposed credentials — API keys, tokens, passwords, private keys, database connection strings, and other sensitive data that should never exist in code. A single leaked secret can lead to unauthorized access, data breaches, and financial loss.

What Are Secrets in Code?

Secrets are sensitive credentials embedded in source code: API keys, OAuth tokens, database passwords, private SSH keys, cloud provider credentials (AWS, GCP, Azure), Slack webhooks, Stripe keys, and connection strings. They are often committed accidentally and persist in git history even after deletion.

Why Secrets Leak

Developers hardcode credentials during development and forget to remove them. Secrets end up in .env files that get committed, in configuration files, test fixtures, documentation examples, and even in comments. Git history preserves every version, so a secret committed and immediately deleted is still recoverable.

How Traqen Detects Secrets

Traqen uses Gitleaks to scan the entire git history, not just the latest commit. It matches over 100 known secret patterns including provider-specific patterns (AWS keys, GitHub tokens, Stripe keys). Scanning runs in ephemeral containers with no persistent code storage.

What to Do When Secrets Are Found

Rotate the exposed credential immediately — assume it has been compromised. Revoke and regenerate the key or token. Check access logs for unauthorized usage. Then fix the code to use environment variables or a secrets manager instead of hardcoded values.

Frequently Asked Questions

API keys, OAuth tokens, database passwords, SSH private keys, AWS credentials, GCP service account keys, Azure connection strings, Stripe keys, Slack webhooks, and over 100 other patterns.

Yes. Gitleaks scans the full git history, catching secrets that were committed and later deleted. Deleted commits still contain the secret in git objects.

Rotate the credential immediately. Revoke the compromised key, generate a new one, and update your application to use it from environment variables or a secrets manager.

Traqen scans after commit. For pre-commit prevention, use Gitleaks as a pre-commit hook alongside Traqen for continuous monitoring.

Related

Code security flawsSAST toolGitHub security scanner

Find exposed secrets in your code

Scan your repository for leaked credentials, API keys, and tokens before they become incidents.

Start secrets scan