{ "slug": "modules/plaintext-secrets", "title": "Plaintext Secrets module", "description": "Polyglot source code scanner that detects hardcoded secrets, API keys, and credentials across all your projects.", "url": "https://cuitty.com/docs/modules/plaintext-secrets", "markdown_url": "https://cuitty.com/docs/modules/plaintext-secrets.md", "json_url": "https://cuitty.com/docs/modules/plaintext-secrets.json", "frontmatter": { "title": "Plaintext Secrets module", "description": "Polyglot source code scanner that detects hardcoded secrets, API keys, and credentials across all your projects.", "order": 14, "section": "Modules", "updatedAt": "2026-05-12" }, "headings": [ { "depth": 1, "slug": "plaintext-secrets-module", "text": "Plaintext Secrets module" }, { "depth": 2, "slug": "how-it-works", "text": "How it works" }, { "depth": 2, "slug": "supported-languages-and-bundlers", "text": "Supported languages and bundlers" }, { "depth": 2, "slug": "pattern-categories", "text": "Pattern categories" }, { "depth": 2, "slug": "extraction-modes", "text": "Extraction modes" }, { "depth": 2, "slug": "cross-reference-engine", "text": "Cross-reference engine" }, { "depth": 2, "slug": "entropy-detection", "text": "Entropy detection" }, { "depth": 2, "slug": "api-endpoints", "text": "API endpoints" }, { "depth": 2, "slug": "integration-events", "text": "Integration events" } ], "body_markdown": "# Plaintext Secrets module\n\nThe plaintext secrets module scans source code across all projects in your workspace to detect hardcoded secrets — API keys, database credentials, tokens, and private keys that should never be committed.\n\n## How it works\n\nPoint the scanner at one or more root directories (e.g. `~/Code`). It walks every file that isn't generated (skipping `node_modules`, `target/`, `.venv`, `dist/`, etc.), matches against 53 secret detection patterns, and optionally runs Shannon entropy analysis to catch novel credential formats.\n\nResults are persisted in a dedicated SQLite database. Each finding tracks the file, line, column, pattern that matched, severity, and temporal metadata — when the secret was first detected, when it was last seen, and whether it's still present.\n\n## Supported languages and bundlers\n\n| Ecosystem | Scanned files |\n| ---------- | ----------------------------------------------- |\n| JavaScript | `.ts`, `.js`, `.tsx`, `.jsx`, `.env*`, `.npmrc` |\n| Rust | `.rs`, `.toml`, `Cargo.toml` |\n| Python | `.py`, `.cfg`, `.ini`, `.env*` |\n| Go | `.go`, `.yaml`, `.yml`, `.env*` |\n| Config | `.json`, `.yaml`, `.yml`, `.toml`, `.properties` |\n\nBundler-specific patterns detect tokens in `.npmrc`, `bunfig.toml`, `Cargo` registry config, PyPI tokens, and Docker registry credentials.\n\n## Pattern categories\n\n- **Cloud** — AWS access/secret keys, GCP service accounts and API keys, Azure connection strings, Cloudflare, Fly.io, DigitalOcean\n- **SCM** — GitHub PATs (classic and fine-grained), GitLab PATs, Bitbucket app passwords\n- **Payments** — Stripe secret/publishable/webhook keys, PayPal client secrets\n- **Database** — Connection strings with credentials (Postgres, MongoDB, Redis, MySQL), Turso, Supabase, Firebase\n- **Messaging** — Slack bot/user/app tokens, Discord tokens, Twilio, SendGrid\n- **Crypto** — PEM private keys (RSA, EC, PKCS8), JWTs, PGP/SSH private keys\n- **Generic** — Password assignments, API key assignments, bearer tokens, basic auth headers\n- **Bundler** — npm auth tokens, Cargo registry tokens, PyPI API tokens, Docker registry passwords\n\n## Extraction modes\n\nThe standalone JSON index can be configured with three extraction modes:\n\n| Mode | Stores | Use case |\n| ---------------- | ------------------------- | ---------------------------------- |\n| `key-only` | Key name only | Auditing without exposure risk |\n| `key-obfuscated` | Key name + masked value | Triage with partial visibility |\n| `key-raw` | Key name + full value | Remediation workflows |\n\n## Cross-reference engine\n\nWhen the same secret value appears in multiple files or projects, the scanner groups them by SHA-256 hash. The dashboard highlights shared secrets so you can see which projects share credentials and prioritize rotation.\n\n## Entropy detection\n\nBeyond pattern matching, the scanner uses Shannon entropy analysis to flag high-entropy strings that may be novel credential formats. Configurable threshold (default: 4.5 bits), minimum length (20 chars), and automatic exclusion of UUIDs, URLs, commit hashes, and long base64 payloads.\n\n## API endpoints\n\n| Endpoint | Method | Returns |\n| ---------------------------------------------------------- | ------ | ------------------------------------ |\n| `/api/modules/plaintext-secrets/findings` | GET | Paginated findings with filters |\n| `/api/modules/plaintext-secrets/findings/{id}` | GET | Single finding with cross-references |\n| `/api/modules/plaintext-secrets/findings/{id}` | POST | Suppress a finding |\n| `/api/modules/plaintext-secrets/scans` | GET | Scan history |\n| `/api/modules/plaintext-secrets/scan` | POST | Trigger a new scan |\n\n## Integration events\n\nThe module emits events via the shared `ModuleEventBus`:\n\n- `secret:detected` — fired for each new finding during a scan\n- `cuitty.plaintext-secrets.scan-completed` — fired when a scan finishes, with summary stats", "body_html": "

Plaintext Secrets module

\n

The plaintext secrets module scans source code across all projects in your workspace to detect hardcoded secrets — API keys, database credentials, tokens, and private keys that should never be committed.

\n

How it works

\n

Point the scanner at one or more root directories (e.g. ~/Code). It walks every file that isn’t generated (skipping node_modules, target/, .venv, dist/, etc.), matches against 53 secret detection patterns, and optionally runs Shannon entropy analysis to catch novel credential formats.

\n

Results are persisted in a dedicated SQLite database. Each finding tracks the file, line, column, pattern that matched, severity, and temporal metadata — when the secret was first detected, when it was last seen, and whether it’s still present.

\n

Supported languages and bundlers

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
EcosystemScanned files
JavaScript.ts, .js, .tsx, .jsx, .env*, .npmrc
Rust.rs, .toml, Cargo.toml
Python.py, .cfg, .ini, .env*
Go.go, .yaml, .yml, .env*
Config.json, .yaml, .yml, .toml, .properties
\n

Bundler-specific patterns detect tokens in .npmrc, bunfig.toml, Cargo registry config, PyPI tokens, and Docker registry credentials.

\n

Pattern categories

\n\n

Extraction modes

\n

The standalone JSON index can be configured with three extraction modes:

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
ModeStoresUse case
key-onlyKey name onlyAuditing without exposure risk
key-obfuscatedKey name + masked valueTriage with partial visibility
key-rawKey name + full valueRemediation workflows
\n

Cross-reference engine

\n

When the same secret value appears in multiple files or projects, the scanner groups them by SHA-256 hash. The dashboard highlights shared secrets so you can see which projects share credentials and prioritize rotation.

\n

Entropy detection

\n

Beyond pattern matching, the scanner uses Shannon entropy analysis to flag high-entropy strings that may be novel credential formats. Configurable threshold (default: 4.5 bits), minimum length (20 chars), and automatic exclusion of UUIDs, URLs, commit hashes, and long base64 payloads.

\n

API endpoints

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
EndpointMethodReturns
/api/modules/plaintext-secrets/findingsGETPaginated findings with filters
/api/modules/plaintext-secrets/findings/{id}GETSingle finding with cross-references
/api/modules/plaintext-secrets/findings/{id}POSTSuppress a finding
/api/modules/plaintext-secrets/scansGETScan history
/api/modules/plaintext-secrets/scanPOSTTrigger a new scan
\n

Integration events

\n

The module emits events via the shared ModuleEventBus:

\n", "links_out": [] }