Secrets Scanning

The Secrets Analyzer

Hardcoded credentials are among the most common and most exploitable security vulnerabilities in modern software. API keys, database passwords, authentication tokens, and private keys committed to source code are routinely discovered by attackers scanning public repositories - and by insiders with unintended access to private ones.

DryRun Security's Secrets Analyzer is a specialized agent that runs on every pull request, examining code changes for signs of embedded credentials. Unlike tools that rely solely on pattern matching, the Secrets Analyzer goes a critical step further: it attempts to validate detected secrets to determine whether they are real and currently active. This verification step is a key differentiator - rather than flooding teams with alerts for every string that resembles a credential, DryRun Security confirms which secrets pose a genuine risk by testing them against the services they are meant to authenticate with.

The analyzer also operates contextually, evaluating whether a candidate secret is genuine based on its surrounding context, variable naming, usage patterns, and code structure. Combined with active validation, this approach dramatically reduces false positives while ensuring that truly dangerous credentials are caught before they reach production.

What Secrets Detection Covers

The Secrets Analyzer detects a wide range of credential types, including:

• API keys and access tokens for cloud providers (AWS, GCP, Azure) and third-party services
• Database connection strings with embedded credentials
• Private keys (RSA, EC, SSH)
• Authentication tokens and session secrets
• OAuth client secrets
• Webhook secrets and signing keys
• Generic high-entropy strings that exhibit the statistical properties of cryptographic secrets