Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Secrets detection overview
What is Secrets Detection?
Secrets Detection scans your codebase and Git history to find hardcoded secrets, credentials, and other sensitive data that should never be committed to source control. Exposed secrets are one of the most common causes of security breaches, and catching them early prevents unauthorized access to systems, APIs, and infrastructure.
For Invicti AppSec Core, Secrets Detection is pre-activated and ready to use. No manual setup or integration is required.
How it works
The Secrets Detection scanner analyzes your source code and Git commit history to identify patterns that match known secret formats. The scanning process includes:
- Pattern matching: detects secrets using regular expressions and entropy analysis to identify strings that resemble API keys, tokens, passwords, and other credentials.
- Git history scanning: examines the full Git commit history, not just the current state, to find secrets that may have been committed and later removed.
- Format detection: ecognizes secrets from hundreds of providers and services based on known key formats and naming patterns.
- Entropy analysis: flags high-entropy strings that are likely to be randomly generated secrets, even if they don't match a known provider format.
What it can discover
Secrets Detection identifies exposed credentials across the following categories:
| Category | Examples |
|---|---|
| API keys | AWS access keys, Google Cloud API keys, Azure subscription keys, Stripe keys |
| Authentication tokens | OAuth tokens, JWT secrets, personal access tokens, bearer tokens |
| Passwords and credentials | Database connection strings, SMTP passwords, hardcoded login credentials |
| Private keys | SSH private keys, TLS/SSL certificates, PGP private keys |
| Cloud provider secrets | AWS secret access keys, Azure client secrets, GCP service account keys |
| Third-party service credentials | Slack webhooks, SendGrid API keys, Twilio auth tokens, GitHub tokens |
Invicti Secrets Detection editions
Invicti AppSec supports two editions of Secrets Detection:
| Edition | Package | Activation |
|---|---|---|
| Invicti Secrets | AppSec Core | Pre-activated, no setup required |
| Third-party secrets tools | AppSec Enterprise | Requires manual activation under Integrations |
For AppSec Enterprise, supported third-party secrets detection tools include Gitleaks, GitGuardian, and TruffleHog Security. See Third-party scanners overview for the full list.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center