Overview
Cysmiq detects leaked credentials, API keys, tokens, and other secrets in source code. Detected secrets are verified when possible, and other patterns are validated to reduce false positives.What scans detect
Secrets scanning identifies patterns for:- Cloud provider credentials (AWS, GCP, Azure)
- API keys and tokens (GitHub, Stripe, Twilio, OpenAI, etc.)
- Database connection strings
- Private keys and certificates
- Webhook URLs with embedded secrets
Coverage
Secrets scanning is file-type agnostic.- API secrets: Scans all file types and languages, except specific lock files like
yarn.lockandpackage-lock.json. - LLM-based secrets: Uses default ignore rules for vendored and test files, plus common generated assets, e.g.
node_modules,vendor,tests, and minified files.
Verification
Detected secrets are verified to confirm whether they are active. Verification happens in two ways: API verification: For supported providers, Cysmiq makes real API calls to check if the credential is valid. This provides definitive confirmation. See Secret verification providers for the full list. LLM-based validation: For patterns without direct API verification, LLM-based analysis evaluates the detection to reduce false positives.Verification status
| Status | Meaning |
|---|---|
| Verified as Vulnerable | Secret is active and exploitable |
| Not Vulnerable | Verification confirmed the secret is invalid |
| Verification Pending | Verification has not yet completed |
| Verification Skipped | Verification was not attempted |
Git history scanning
Git history scanning searches the full commit history for secrets that may have been committed and later removed. Even if a secret is no longer in the current codebase, it may still be active and exposed in the repository history. Git history scanning runs as a separate scan that searches the full commit history. Availability depends on your plan.Related concepts
- Vulnerabilities: severity, status, and lifecycle
- Scans: how scans are triggered