Secret Scanning
Scan your Git repositories for accidentally committed secrets, API keys, and credentials across the full commit history.
Connecting a Repository
- Go to Settings > Integrations > Connect GitHub.
- Authenticate via OAuth (read-only access to repository contents and commit history).
- Select the repository to link and click Connect.
Once connected, trigger scans manually or enable automatic scanning on new pushes via Settings > Integrations > Auto-scan on push.
Running a Scan
Open the Secret Scanning tab and click Run Scan. The scanner analyzes the full commit history and populates the detections table.
Detection Results
| Column | Description |
|---|---|
| Pattern | Type of secret matched (e.g., “AWS Access Key”, “GitHub Token”). |
| Severity | Critical, High, Medium, or Low. |
| Commit Hash | Short SHA — click to view the commit on GitHub. |
| File Path | File containing the detection. |
| Line Number | Specific line of the match. |
| Status | OPEN, RESOLVED, or FALSE_POSITIVE. |
Severity Levels
| Severity | Examples |
|---|---|
| Critical | Cloud root credentials, database connection strings, private signing keys. |
| High | API tokens, OAuth client secrets, JWT signing keys. |
| Medium | Generic API keys, webhook secrets, SMTP passwords. |
| Low | Internal service tokens, non-production test keys. |
Managing Detections
Click a detection to update its status (OPEN → RESOLVED or FALSE_POSITIVE) and add a resolution note. Use Batch Update to change multiple detections at once.
Notifications
When secrets are detected, the project owner receives:
- In-app notification with a summary badge.
- Email with detection count, severities, and a link to results.
Remediation Guidance
Each detection includes actionable steps in its detail panel:
- Rotate the secret in the provider’s dashboard.
- Remove from history with
git filter-repoor BFG Repo-Cleaner. - Store securely in the DepVault vault.
- Add to .gitignore if the file shouldn’t be committed.
Custom Scan Patterns
Create project-specific regex patterns under Secret Scanning > Custom Patterns. Each pattern needs a name, regex, severity, and optional description. Custom patterns run alongside built-in patterns in all subsequent scans.
Scan History
The History section shows a timeline of all scans with trigger type, detection count, files scanned, and duration. Click any entry to view its detections.