--- title: Plaintext Secrets module description: Polyglot source code scanner that detects hardcoded secrets, API keys, and credentials across all your projects. section: Modules order: 14 updatedAt: 2026-05-12 slug: modules/plaintext-secrets --- # Plaintext Secrets module The plaintext secrets module scans source code across all projects in your workspace to detect hardcoded secrets — API keys, database credentials, tokens, and private keys that should never be committed. ## How it works Point the scanner at one or more root directories (e.g. `~/Code`). It walks every file that isn't generated (skipping `node_modules`, `target/`, `.venv`, `dist/`, etc.), matches against 53 secret detection patterns, and optionally runs Shannon entropy analysis to catch novel credential formats. Results are persisted in a dedicated SQLite database. Each finding tracks the file, line, column, pattern that matched, severity, and temporal metadata — when the secret was first detected, when it was last seen, and whether it's still present. ## Supported languages and bundlers | Ecosystem | Scanned files | | ---------- | ----------------------------------------------- | | JavaScript | `.ts`, `.js`, `.tsx`, `.jsx`, `.env*`, `.npmrc` | | Rust | `.rs`, `.toml`, `Cargo.toml` | | Python | `.py`, `.cfg`, `.ini`, `.env*` | | Go | `.go`, `.yaml`, `.yml`, `.env*` | | Config | `.json`, `.yaml`, `.yml`, `.toml`, `.properties` | Bundler-specific patterns detect tokens in `.npmrc`, `bunfig.toml`, `Cargo` registry config, PyPI tokens, and Docker registry credentials. ## Pattern categories - **Cloud** — AWS access/secret keys, GCP service accounts and API keys, Azure connection strings, Cloudflare, Fly.io, DigitalOcean - **SCM** — GitHub PATs (classic and fine-grained), GitLab PATs, Bitbucket app passwords - **Payments** — Stripe secret/publishable/webhook keys, PayPal client secrets - **Database** — Connection strings with credentials (Postgres, MongoDB, Redis, MySQL), Turso, Supabase, Firebase - **Messaging** — Slack bot/user/app tokens, Discord tokens, Twilio, SendGrid - **Crypto** — PEM private keys (RSA, EC, PKCS8), JWTs, PGP/SSH private keys - **Generic** — Password assignments, API key assignments, bearer tokens, basic auth headers - **Bundler** — npm auth tokens, Cargo registry tokens, PyPI API tokens, Docker registry passwords ## Extraction modes The standalone JSON index can be configured with three extraction modes: | Mode | Stores | Use case | | ---------------- | ------------------------- | ---------------------------------- | | `key-only` | Key name only | Auditing without exposure risk | | `key-obfuscated` | Key name + masked value | Triage with partial visibility | | `key-raw` | Key name + full value | Remediation workflows | ## Cross-reference engine When the same secret value appears in multiple files or projects, the scanner groups them by SHA-256 hash. The dashboard highlights shared secrets so you can see which projects share credentials and prioritize rotation. ## Entropy detection Beyond pattern matching, the scanner uses Shannon entropy analysis to flag high-entropy strings that may be novel credential formats. Configurable threshold (default: 4.5 bits), minimum length (20 chars), and automatic exclusion of UUIDs, URLs, commit hashes, and long base64 payloads. ## API endpoints | Endpoint | Method | Returns | | ---------------------------------------------------------- | ------ | ------------------------------------ | | `/api/modules/plaintext-secrets/findings` | GET | Paginated findings with filters | | `/api/modules/plaintext-secrets/findings/{id}` | GET | Single finding with cross-references | | `/api/modules/plaintext-secrets/findings/{id}` | POST | Suppress a finding | | `/api/modules/plaintext-secrets/scans` | GET | Scan history | | `/api/modules/plaintext-secrets/scan` | POST | Trigger a new scan | ## Integration events The module emits events via the shared `ModuleEventBus`: - `secret:detected` — fired for each new finding during a scan - `cuitty.plaintext-secrets.scan-completed` — fired when a scan finishes, with summary stats