Secret Detection
cyscan detects hardcoded credentials with 296 provider-specific patterns, entropy-based analysis, and optional liveness verification.
Quick Start
cyscan scan . # includes secret detection
cyscan scan . --verify # also verify if secrets are live
cyscan scan /path/to/.env # scan .env files
Three Detection Layers
1. Pattern-Based (296 rules)
Provider-specific regex patterns from the GitLeaks rule set plus Cybrium additions:
| Category | Providers | Count |
|---|---|---|
| Cloud | AWS (4), Azure (4), GCP (3), DigitalOcean (2), Alibaba (2) | 15 |
| Source Control | GitHub (5), GitLab (12), Bitbucket (2) | 19 |
| Communication | Slack (8), Discord (3), Teams, Telegram | 13 |
| Payment | Stripe (3), PayPal, Square (2), Flutterwave (3) | 9 |
| Email/SMS | SendGrid, Mailgun, Mailchimp, Postmark, Twilio (2) | 7 |
| Database | PostgreSQL, MySQL, MongoDB, Redis URIs | 4 |
| CI/CD | NPM (2), PyPI, RubyGems, NuGet, Docker Hub, CircleCI | 8 |
| Monitoring | Datadog (2), New Relic (4), Sentry (3), PagerDuty, Grafana (3), Splunk | 15 |
| SaaS | Shopify (4), Heroku (2), Cloudflare (3), Netlify, Vercel, etc. | 30+ |
| AI | OpenAI (2), Anthropic (2), HuggingFace (2), Cohere, Replicate | 8 |
| Crypto | RSA, OpenSSH, EC, PGP, PKCS8 private keys | 6 |
| Generic | Password/secret/token/API key assignments, Bearer auth, connection strings | 8 |
2. Entropy-Based Detection
Catches secrets that don't match any known pattern by measuring Shannon entropy:
| Charset | Threshold | Min Length |
|---|---|---|
| Hex strings | >= 3.0 bits/char | 20 chars |
| Base64 strings | >= 4.0 bits/char | 20 chars |
| Generic strings | >= 4.5 bits/char | 16 chars |
False positive suppression: UUIDs, git SHAs, URLs, file paths, semver, repeated characters, CSS colors, and known safe key names are automatically excluded.
3. Liveness Verification (--verify)
Tests if detected credentials are actually valid via safe, read-only API calls:
| Provider | What it checks | Identity returned |
|---|---|---|
| GitHub | GET /user | github.com/username |
| GitLab | GET /api/v4/user | gitlab.com/username |
| Slack | GET /api/auth.test | workspace/user |
| Stripe | GET /v1/charges?limit=1 | Account access |
| OpenAI | GET /v1/models | API access |
| Anthropic | GET /v1/models | API access |
| HuggingFace | GET /api/whoami-v2 | Username |
| Datadog | GET /api/v1/validate | API access |
| NPM | GET /-/whoami | npm/username |
| Docker Hub | GET /v2/user | docker.io/username |
| DigitalOcean | GET /v2/account | Account email |
| Cloudflare | GET /client/v4/user/tokens/verify | Token valid |
| + 8 more... |
Live secrets are escalated to CRITICAL severity with the message prefixed VERIFIED LIVE SECRET.
File Coverage
cyscan scans these file types for secrets:
- All source code files (Python, JavaScript, Go, Java, Ruby, etc.)
.env,.env.local,.env.production,.env.staging.npmrc,.pypirc,.netrc,.pgpass,.git-credentials.pem,.key,.crt,.certfiles- JSON, YAML, TOML, INI configuration files
- Dockerfile, Kubernetes manifests, Terraform files