Skip to main content

Syntax

vectra-guard scan-secrets [--path <dir>] [--allowlist <file>]
vg scan-secrets [--path <dir>] [--allowlist <file>]

Description

Scan files for exposed secrets (API keys, tokens, credentials) using pattern matching and entropy analysis. Detects common secret formats and high-entropy strings that may be credentials.

Options

--path
string
default:"."
Target directory or file to scan for secrets
--allowlist
string
Path to allowlist file containing known-safe secrets (one per line, # for comments)

Exit Codes

  • 0: No secrets detected
  • 2: Secrets detected (fails in CI/CD)

Examples

Scan current directory

vg scan-secrets
# Scans all files in current directory

Scan specific directory

vg scan-secrets --path ./src
# Output:
# ⚠ SECRET DETECTED
# File: src/config.js
# Line: 12
# Pattern: aws_access_key
# Match: AKIAIOSFODNN7EXAMPLE
# Severity: high
# Entropy: 3.87

Use allowlist for known-safe values

# Create .vg-allowlist
cat > .vg-allowlist << EOF
# Test secrets (safe to commit)
test-api-key-12345
mock-secret-for-unit-tests
EOF

vg scan-secrets --allowlist .vg-allowlist

CI/CD integration

# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
  secrets:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install Vectra Guard
        run: curl -fsSL https://raw.githubusercontent.com/xadnavyaai/vectra-guard/main/install.sh | bash
      - name: Scan for secrets
        run: vg scan-secrets

JSON output for automation

vg --output json scan-secrets | jq '.[] | select(.severity=="critical")'
# Extract only critical secrets

Scan specific file types

# Scan only JavaScript/TypeScript
find . -name '*.js' -o -name '*.ts' | xargs -I {} vg scan-secrets --path {}

What It Detects

Pattern-based detection

  • AWS Keys: Access keys, secret keys, session tokens
  • API Keys: Generic API keys, auth tokens
  • Cloud Credentials: GCP, Azure, DigitalOcean tokens
  • Private Keys: RSA, SSH, PGP private keys
  • Database URLs: Connection strings with credentials
  • OAuth Tokens: GitHub, GitLab, Slack tokens
  • JWT Tokens: JSON Web Tokens
  • Passwords: Password strings in various formats

Entropy-based detection

High-entropy strings (randomness analysis) that may be:
  • API keys
  • Secret tokens
  • Encryption keys
  • Session IDs

Allowlist Format

# .vg-allowlist - Known-safe secrets

# Test/mock secrets
test-api-key-12345
mock-secret-for-tests

# Public demo keys (safe)
demo-key-public-example

# Base64 test data
dGVzdC1kYXRhLW5vdC1zZWNyZXQ=

Reducing False Positives

  1. Use allowlist for known-safe values
  2. Comment exclusion: Add # vg:ignore-secrets on the line above to skip
  3. Test files: Use clear naming like test-api-key, mock-secret
  4. Environment files: Keep in .env with proper .gitignore
  • scan-security - Scan code for security issues
  • audit - Full repository audit (includes secrets)

Build docs developers (and LLMs) love

Get started for freeTalk to us