SAST Rules

Secrets / Credentials

Exhaustive, high-fidelity hardcoded-secret detection rules grouped by category.

Vulnetix detects hardcoded credentials, API keys, tokens and private keys across source code, configuration, binaries (via printable-string and EXIF extraction) and full git history. Each rule runs a cheap keyword/prefix prefilter, extracts the candidate token, then applies allowlist and Shannon-entropy filtering to suppress false positives before reporting a SARIF finding.

Categories

Secrets — Cloud Providers
83 rules
Secrets — Source Control & CI/CD
70 rules
Secrets — AI / LLM Providers
72 rules
Secrets — Payment Processors
82 rules
Secrets — Communication & Messaging
79 rules
Secrets — Package Registries
1 rules
Secrets — Monitoring & Observability
45 rules
Secrets — SaaS & Developer APIs
433 rules
Secrets — Database Credentials
49 rules
Secrets — Private Keys & Certificates
14 rules
Secrets — Crypto & Blockchain
78 rules
Secrets — Webhooks & Signed URLs
4 rules
Secrets — Cloud Providers
AWS, Azure, GCP, Alibaba, Oracle, DigitalOcean, IBM and other cloud-provider credential detection rules.
Secrets — Source Control & CI/CD
GitHub, GitLab, Bitbucket, Azure DevOps tokens and CI/CD pipeline credentials.
Secrets — AI / LLM Providers
OpenAI, Anthropic, Google Gemini, Hugging Face, Cohere, Mistral and other AI provider keys.
Secrets — Payment Processors
Stripe, PayPal, Square, Braintree, Adyen and other payment-platform credentials.
Secrets — Communication & Messaging
Slack, Twilio, Discord, Telegram, SendGrid, Mailgun and other messaging credentials.
Secrets — Package Registries
npm, PyPI, RubyGems, NuGet, Artifactory, Crates and other registry tokens.
Secrets — Monitoring & Observability
Datadog, New Relic, Sentry, Grafana, PagerDuty and other observability keys.
Secrets — SaaS & Developer APIs
Atlassian, Notion, Linear, Airtable, Shopify, Figma, Vercel, Netlify and other SaaS tokens.
Secrets — Database Credentials
PostgreSQL, MySQL, MongoDB, Redis and other connection strings with embedded credentials.
Secrets — Private Keys & Certificates
RSA, EC, OpenSSH, PGP, WireGuard, age and other private-key material.
Secrets — Crypto & Blockchain
Ethereum, Bitcoin and other blockchain private keys and wallet credentials.
Secrets — Webhooks & Signed URLs
Slack/Teams/Discord webhook URLs and signed URLs with embedded secrets.