Entropy and pattern-based secret detection with verification.
Detect hardcoded credentials and sensitive data in source code:
- Pattern matching - 40+ built-in regex rules for common secret formats
- Entropy analysis - Shannon entropy detection for high-entropy strings
- AST context - Tree-sitter parsing for false-positive reduction
- Live verification - Confirm if detected tokens are actually valid
- Pattern/Entropy Collection - Regex rules + entropy scoring
- AST Analysis - Context extraction using tree-sitter
- Semantic Validation - Language-specific heuristics
- AWS credentials (Access Key, Secret Key, Session Token)
- GitHub/GitLab tokens
- Stripe, Twilio API keys
- JWT tokens, OAuth tokens
- Database passwords
- SSH/RSA/EC private keys
- Azure, GCP service account keys
- High-entropy Base64/Hex strings
Live verification against actual providers:
- AWS STS (token validation)
- GitHub API (token scopes)
- GitLab API (token validation)
vulnera secrets . # Basic scan
vulnera secrets . --baseline # Differential scanning
vulnera secrets . --save-baseline # Create baseline
vulnera secrets . --only-new # Show only new secretsAGPL-3.0-or-later. See LICENSE for details.