Secret Detection

Detect and prevent hardcoded credentials and API keys in your codebase.

Secret detection identifies hardcoded credentials, API keys, tokens, passwords, and private keys in your source code and commit history. Exposed secrets are one of the most common causes of security breaches — PrismSec catches them before they reach production.

What Secret Detection Finds

PrismSec scans for a wide range of secret types:

Cloud Provider Credentials

| Provider | Secret Types | |----------|--------------| | AWS | Access keys, secret keys, session tokens, STS tokens | | Google Cloud | Service account keys, OAuth tokens, API keys | | Azure | Storage account keys, SAS tokens, service principal credentials | | DigitalOcean | API tokens, Spaces access keys | | Heroku | API keys, OAuth tokens |

Third-Party API Keys

| Service | Secret Types | |---------|--------------| | Stripe | Secret keys, publishable keys, restricted keys | | Twilio | Account SIDs, Auth tokens, API keys | | SendGrid | API keys | | Slack | Bot tokens, OAuth tokens, webhooks | | GitHub | Personal access tokens, OAuth tokens, SSH keys | | GitLab | Personal access tokens, CI/CD tokens | | Mailchimp | API keys | | Algolia | API keys, admin keys |

Database Credentials

  • PostgreSQL connection strings
  • MySQL/MariaDB passwords
  • MongoDB connection strings
  • Redis passwords
  • Elasticsearch credentials

Private Keys

  • SSH private keys (RSA, Ed25519, ECDSA)
  • PGP private keys
  • SSL/TLS private keys
  • JWT signing keys

Generic Secrets

  • Passwords in configuration files
  • Bearer tokens
  • OAuth client secrets
  • Webhook secrets
  • Encryption keys

How Secret Detection Works

PrismSec uses a multi-layered approach to detect secrets:

1. Provider-Specific Patterns

PrismSec maintains a database of known secret formats for popular services:

Example patterns:

  • AWS Access Key: AKIA[0-9A-Z]{16}
  • Stripe Secret Key: sk_live_[0-9a-zA-Z]{24}
  • GitHub Personal Access Token: ghp_[0-9a-zA-Z]{36}

These patterns are regularly updated to match new secret formats.

2. Entropy Analysis

For generic secrets (passwords, custom API keys), PrismSec uses entropy analysis to detect high-randomness strings:

# High entropy (likely a secret)
api_key = "xk7f9Gh3Lm2Qp8Nz1Vc5Wd4Rt6Ys0"
 
# Low entropy (not a secret)
api_key = "my-api-key-placeholder"

Entropy is measured in bits — strings with entropy > 4.5 bits are flagged as potential secrets.

3. Commit History Scanning

PrismSec scans not just the current code, but also commit history to find secrets that were committed and later removed:

  • Scans the last 100 commits by default (configurable)
  • Detects secrets that were added in old commits and removed in newer ones
  • Flags even secrets that no longer exist in the current codebase

Once a secret is committed to Git, it remains in the repository history permanently — even if deleted in a later commit. Always rotate exposed secrets immediately.

4. Context-Aware Filtering

PrismSec reduces false positives by analyzing context:

  • Placeholder values — Strings like "your-api-key-here" or "REPLACE_ME" are not flagged
  • Test fixtures — Secrets in test files are flagged but with lower severity
  • Comments — Secrets in comments are flagged (they may be documentation examples, but still risky)

Example Findings

AWS Access Key

Vulnerable code:

import boto3
 
s3 = boto3.client(
    's3',
    aws_access_key_id='AKIAIOSFODNN7EXAMPLE',
    aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
)

PrismSec finding:

🔴 Critical: Hardcoded AWS Secret Access Key

File: storage/s3.py
Line: 5-6

Description:
An AWS secret access key was found hardcoded in the source code.
If this code is pushed to a public repository or accessed by unauthorized users,
the credentials can be used to access your AWS resources, potentially leading to
data breaches, resource deletion, or unauthorized charges.

Detected Secret:
aws_secret_access_key: wJalrXUtn...EXAMPLEKEY

Recommendation:
1. Move credentials to environment variables
2. Rotate the exposed key immediately in the AWS Console
3. Use IAM roles for EC2/Lambda instead of hardcoded keys

Secure alternative:

import os

s3 = boto3.client(
    's3',
    aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'],
    aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY']
)

Stripe API Key

Vulnerable code:

const stripe = require('stripe')('sk_live_51Hx8a2Abc123XyZ456');

PrismSec finding:

🔴 Critical: Hardcoded Stripe Secret Key

File: payments.js
Line: 1

Description:
A Stripe secret key was detected in the source code. This key grants full access
to your Stripe account, including the ability to create charges, refunds, and
access customer data.

Detected Secret:
sk_live_51Hx8a2Abc123XyZ456

Recommendation:
1. Move the key to an environment variable
2. Rotate the key in your Stripe dashboard immediately
3. Review your Stripe logs for unauthorized activity

Secure alternative:

const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);

Private SSH Key

Vulnerable code:

# deploy-config.yml
ssh_key: |
  -----BEGIN RSA PRIVATE KEY-----
  MIIEpAIBAAKCAQEA1234567890abcdef...
  -----END RSA PRIVATE KEY-----

PrismSec finding:

🔴 Critical: SSH Private Key in Configuration

File: deploy-config.yml
Line: 2-5

Description:
An RSA private key was found in the configuration file. This key grants
SSH access to your servers. If exposed, an attacker can access your infrastructure.

Detected Secret:
ssh_key (RSA private key, 2048-bit)

Recommendation:
1. Remove the private key from source code
2. Store the key securely (e.g., AWS Secrets Manager, HashiCorp Vault)
3. Reference the key by file path or environment variable
4. Regenerate the key pair and update authorized_keys on all servers

Auto-Fix Support

PrismSec can automatically fix many secret detection findings:

  • Move secrets to environment variables — Replaces hardcoded values with process.env.VAR_NAME or os.environ['VAR_NAME']
  • Add .env.example — Creates a template file with placeholder values
  • Update .gitignore — Ensures .env files are not committed

Example auto-fix:

# Before
- api_key = "xk7f9Gh3Lm2Qp8Nz1Vc5Wd4Rt6Ys0"
 
# After
+ api_key = os.environ.get('API_KEY')

New files:

# .env.example
API_KEY=your-api-key-here

After merging an auto-fix PR, you must set the environment variable in your deployment environment and rotate the exposed secret.

Pre-Merge Blocking

To prevent secrets from being committed in the first place, configure PrismSec to block merges if secrets are detected:

# prismsec.yml
severity_threshold: critical  # Blocks merges if Critical secrets are found

See Configuring Scans for details.

What to Do When a Secret is Found

  1. Do not ignore the finding — Even if the secret seems non-sensitive, rotate it
  2. Rotate the secret immediately — Assume the secret is compromised
  3. Remove from commit history — Use git filter-branch or BFG Repo-Cleaner to purge the secret from Git history (advanced)
  4. Monitor for unauthorized access — Check logs for suspicious activity during the exposure window
  5. Move to secure storage — Use environment variables, secret managers (AWS Secrets Manager, HashiCorp Vault), or encrypted config files

Secrets committed to Git cannot be fully removed by deleting the file — they remain in the repository history. Always rotate exposed secrets.

Configuring Secret Detection

Customize secret detection behavior in prismsec.yml:

secrets:
  # Scan commit history
  scan_history: true
  
  # Maximum commit depth to scan
  history_depth: 100
  
  # Entropy threshold (higher = fewer false positives)
  entropy_threshold: 4.5
  
  # Allow-list for known false positives
  allow_list:
    - "example.com/placeholder-key"

Best Practices

  • Never commit secrets — Use environment variables from the start
  • Use secret managers — AWS Secrets Manager, HashiCorp Vault, Doppler
  • Rotate regularly — Rotate secrets on a schedule, even if not exposed
  • Limit secret scope — Use least-privilege API keys (e.g., Stripe restricted keys)
  • Monitor secret usage — Alert on unexpected API key usage

Next Steps