Secret Detection

440+ Secret Detection Patterns

VEXLIT detects hardcoded secrets, API keys, tokens, and credentials in your source code using 440+ detection patterns across 14 categories. Entropy analysis catches secrets that don't match known patterns.

440+

Detection Patterns

14

Secret Categories

10

Validity Providers

Detection Categories

Secrets are organized into 14 categories for clear prioritization.

#01

Cloud Provider Keys

AWS access keys, GCP service accounts, Azure connection strings

#02

API Keys & Tokens

Stripe, SendGrid, Twilio, OpenAI, HuggingFace, npm tokens

#03

Source Control

GitHub PATs, GitLab tokens, Bitbucket app passwords

#04

Communication

Slack webhooks/tokens, Discord bot tokens, Telegram bot tokens

#05

Database

PostgreSQL, MySQL, MongoDB, Redis connection strings with credentials

#06

Private Keys

RSA, EC, PGP private keys, SSH private keys

#07

Authentication

JWT secrets, OAuth client secrets, SAML certificates

#08

CI/CD

Jenkins tokens, CircleCI keys, Travis CI tokens

#09

Payment

Stripe secret keys, PayPal credentials, Square access tokens

#10

Infrastructure

Terraform state secrets, Vault tokens, Consul tokens

#11

Monitoring

Datadog, New Relic, PagerDuty API keys

#12

Email

SMTP credentials, Mailgun, Postmark API keys

#13

Container Registry

Docker Hub tokens, ECR credentials, GCR keys

#14

Generic Secrets

Shannon entropy detection for unrecognized high-entropy strings

Shannon Entropy Detection

Beyond pattern matching, VEXLIT uses Shannon entropy analysis to detect high-entropy strings that look like secrets even when they don't match known formats. This catches custom API keys, internal tokens, and one-off credentials.

Validity Check

For supported providers, VEXLIT verifies whether a detected secret is still active by making a safe, read-only API call.

AWSGitHubGitLabSlackStripeSendGridTwilionpmHuggingFaceOpenAI

Active

Inactive / Revoked

Unable to verify

Git History Scanning

Secrets in your current code are only part of the risk. VEXLIT can scan your entire git history to find secrets that were committed and later removed but remain in the repository.

$ vexlit scan . --git-historyScans all commits in the repository for secrets
$ vexlit scan --diffScans only staged/unstaged changes for secrets before committing

Pre-commit Hook

Prevent secrets from ever being committed by adding VEXLIT as a pre-commit hook.

.pre-commit-config.yaml
# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: vexlit-secrets
        name: VEXLIT Secret Scanner
        entry: npx @vexlit/cli scan --diff --fail-on medium
        language: system
        pass_filenames: false

.env File Parsing

VEXLIT has a dedicated .env parser that detects secrets in environment files. It understands KEY=VALUE format, quoted values, multi-line values, and variable interpolation.

Want to learn more?

Rules CatalogSCATaint Analysis