Skip to content

Secret detection

Every av sast scan hunts for hard-coded secrets - API keys, access keys, private keys, passwords, tokens - and tiers what it finds REDYELLOWGREEN like every other finding.

More than one scanner in the series looks for secrets:

  • A dedicated secret scanner walks the working tree in directory mode - the files as they exist on disk at the scan path.
  • The infrastructure scanner runs its secret checks alongside its misconfiguration checks in the same filesystem pass.

Both run locally as separate, checksum-verified subprocesses; your source never leaves the machine. See Code scanning (SAST) for how the scan series is downloaded, pinned and cached.

On the Code Scan page a finding lands in the Secrets category when:

  • it came from the dedicated secret scanner - always treated as a secret, or
  • its rule or message matches a credential pattern (secret, credential, API key, access key, private key, password, token) - so a code-scanner hit on a hard-coded password buckets as a secret too.

Secret findings use the same SARIF-to-tier mapping as all SAST findings: a security-severity score of 7.0 or higher is RED, 4.0 or higher is YELLOW; without a score, SARIF level error maps to RED and warning to YELLOW. The full mapping is on Code scanning (SAST).

Run the full scan series in your pipeline and fail the build on any RED finding. Secret findings are tiered alongside every other finding, so one gate covers a leaked credential and everything else the series detects:

Terminal window
av sast scan --path . --fail-on red