> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

> Detect and verify leaked credentials in code.

## Overview

Cysmiq detects leaked credentials, API keys, tokens, and other secrets in source code. Detected secrets are verified when possible, and other patterns are validated to reduce false positives.

## What scans detect

Secrets scanning identifies patterns for:

* Cloud provider credentials (AWS, GCP, Azure)
* API keys and tokens (GitHub, Stripe, Twilio, OpenAI, etc.)
* Database connection strings
* Private keys and certificates
* Webhook URLs with embedded secrets

## Coverage

Secrets scanning is file-type agnostic.

* **API secrets**: Scans all file types and languages, except specific lock files like `yarn.lock` and `package-lock.json`.
* **LLM-based secrets**: Uses default ignore rules for vendored and test files, plus common generated assets, e.g. `node_modules`, `vendor`, `tests`, and minified files.

## Verification

Detected secrets are verified to confirm whether they are active. Verification happens in two ways:

**API verification**: For supported providers, Cysmiq makes real API calls to check if the credential is valid. This provides definitive confirmation. See [Secret verification providers](/reference/secret-verification-providers) for the full list.

**LLM-based validation**: For patterns without direct API verification, LLM-based analysis evaluates the detection to reduce false positives.

### Verification status

| Status                 | Meaning                                      |
| ---------------------- | -------------------------------------------- |
| Verified as Vulnerable | Secret is active and exploitable             |
| Not Vulnerable         | Verification confirmed the secret is invalid |
| Verification Pending   | Verification has not yet completed           |
| Verification Skipped   | Verification was not attempted               |

## Git history scanning

Git history scanning searches the full commit history for secrets that may have been committed and later removed. Even if a secret is no longer in the current codebase, it may still be active and exposed in the repository history.

Git history scanning runs as a separate scan that searches the full commit history.

<Info>Availability depends on your Cysmiq plan.</Info>

## Related concepts

* [Vulnerabilities](/concepts/vulnerabilities): severity, status, and lifecycle
* [Scans](/concepts/scans): how scans are triggered
