Plaintext Secrets module
Polyglot source code scanner that detects hardcoded secrets, API keys, and credentials across all your projects.
Plaintext Secrets module
The plaintext secrets module scans source code across all projects in your workspace to detect hardcoded secrets — API keys, database credentials, tokens, and private keys that should never be committed.
How it works
Point the scanner at one or more root directories (e.g. ~/Code). It walks every file that isn’t generated (skipping node_modules, target/, .venv, dist/, etc.), matches against 53 secret detection patterns, and optionally runs Shannon entropy analysis to catch novel credential formats.
Results are persisted in a dedicated SQLite database. Each finding tracks the file, line, column, pattern that matched, severity, and temporal metadata — when the secret was first detected, when it was last seen, and whether it’s still present.
Supported languages and bundlers
| Ecosystem | Scanned files |
|---|---|
| JavaScript | .ts, .js, .tsx, .jsx, .env*, .npmrc |
| Rust | .rs, .toml, Cargo.toml |
| Python | .py, .cfg, .ini, .env* |
| Go | .go, .yaml, .yml, .env* |
| Config | .json, .yaml, .yml, .toml, .properties |
Bundler-specific patterns detect tokens in .npmrc, bunfig.toml, Cargo registry config, PyPI tokens, and Docker registry credentials.
Pattern categories
- Cloud — AWS access/secret keys, GCP service accounts and API keys, Azure connection strings, Cloudflare, Fly.io, DigitalOcean
- SCM — GitHub PATs (classic and fine-grained), GitLab PATs, Bitbucket app passwords
- Payments — Stripe secret/publishable/webhook keys, PayPal client secrets
- Database — Connection strings with credentials (Postgres, MongoDB, Redis, MySQL), Turso, Supabase, Firebase
- Messaging — Slack bot/user/app tokens, Discord tokens, Twilio, SendGrid
- Crypto — PEM private keys (RSA, EC, PKCS8), JWTs, PGP/SSH private keys
- Generic — Password assignments, API key assignments, bearer tokens, basic auth headers
- Bundler — npm auth tokens, Cargo registry tokens, PyPI API tokens, Docker registry passwords
Extraction modes
The standalone JSON index can be configured with three extraction modes:
| Mode | Stores | Use case |
|---|---|---|
key-only | Key name only | Auditing without exposure risk |
key-obfuscated | Key name + masked value | Triage with partial visibility |
key-raw | Key name + full value | Remediation workflows |
Cross-reference engine
When the same secret value appears in multiple files or projects, the scanner groups them by SHA-256 hash. The dashboard highlights shared secrets so you can see which projects share credentials and prioritize rotation.
Entropy detection
Beyond pattern matching, the scanner uses Shannon entropy analysis to flag high-entropy strings that may be novel credential formats. Configurable threshold (default: 4.5 bits), minimum length (20 chars), and automatic exclusion of UUIDs, URLs, commit hashes, and long base64 payloads.
API endpoints
| Endpoint | Method | Returns |
|---|---|---|
/api/modules/plaintext-secrets/findings | GET | Paginated findings with filters |
/api/modules/plaintext-secrets/findings/{id} | GET | Single finding with cross-references |
/api/modules/plaintext-secrets/findings/{id} | POST | Suppress a finding |
/api/modules/plaintext-secrets/scans | GET | Scan history |
/api/modules/plaintext-secrets/scan | POST | Trigger a new scan |
Integration events
The module emits events via the shared ModuleEventBus:
secret:detected— fired for each new finding during a scancuitty.plaintext-secrets.scan-completed— fired when a scan finishes, with summary stats