> ## Documentation Index
> Fetch the complete documentation index at: https://docs.corgea.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Scanning

> Detect and secure hardcoded secrets in your codebase

## Overview

Secret scanning is a critical security capability within Corgea's AI-native SAST that identifies hardcoded credentials, API keys, tokens, and other sensitive information in your codebase. By detecting secrets before they reach production, you can prevent unauthorized access, data breaches, and compliance violations.

Unlike traditional secret scanners that rely solely on pattern matching, Corgea's secret scanning uses a combination of pattern matching, entropy analysis, and AI-powered contextual understanding to minimize false positives while ensuring comprehensive coverage.

## How It Works

Corgea's secret scanner analyzes your entire codebase to identify potential secrets through multiple techniques:

<Steps>
  <Step title="Pattern Matching">
    Identifies known secret formats using an extensive library of patterns for popular services and platforms.
  </Step>

  <Step title="Entropy Analysis">
    Detects high-entropy strings that may indicate randomly generated keys, tokens, or passwords.
  </Step>

  <Step title="Contextual Understanding">
    Uses AI to understand the context around potential secrets, reducing false positives from test data, examples, or placeholders.
  </Step>
</Steps>

## Supported File Types

Corgea's secret scanner supports a comprehensive range of file types across different languages and frameworks:

| Language/Framework         | Extensions                                        | File Types                                             |
| -------------------------- | ------------------------------------------------- | ------------------------------------------------------ |
| **Python**                 | `.py`                                             | Python source files                                    |
|                            | `.toml`, `.ini`, `.txt`, `.cfg`                   | Configuration files (pyproject.toml, setup.cfg, etc.)  |
| **Ruby**                   | `.rb`                                             | Ruby source files                                      |
|                            | `.yml`, `.yaml`                                   | Configuration files (config files, Rails configs)      |
| **JavaScript/Node.js**     | `.js`, `.jsx`, `.mjs`                             | JavaScript source files                                |
|                            | `.json`, `.env`, `.config`                        | Package.json, environment files, configs               |
| **TypeScript**             | `.ts`, `.tsx`                                     | TypeScript source files                                |
|                            | `.json`, `.config`                                | tsconfig.json, configuration files                     |
| **C#/.NET**                | `.cs`, `.cshtml`                                  | C# source and Razor files                              |
|                            | `.xml`, `.config`, `.json`                        | App.config, web.config, appsettings.json               |
| **Go**                     | `.go`                                             | Go source files                                        |
|                            | `.toml`, `.yaml`, `.yml`, `.env`                  | Configuration files                                    |
| **Java**                   | `.java`, `.jsp`, `.jspf`, `.tag`                  | Java source and JSP files                              |
|                            | `.properties`, `.xml`, `.gradle`, `.yaml`, `.yml` | application.properties, pom.xml, build.gradle, configs |
| **PHP**                    | `.php`                                            | PHP source files                                       |
|                            | `.ini`, `.xml`, `.yaml`, `.yml`, `.env`, `.json`  | php.ini, configs, environment files                    |
| **C/C++**                  | `.c`, `.cpp`, `.cc`, `.cxx`, `.c++`               | C/C++ source files                                     |
|                            | `.conf`, `.config`, `.cfg`, `.ini`                | Configuration files                                    |
| **Kotlin**                 | `.kt`, `.kts`                                     | Kotlin source files                                    |
|                            | `.gradle`, `.properties`, `.xml`, `.json`         | Build files and configs                                |
| **Swift**                  | `.swift`                                          | Swift source files                                     |
|                            | `.json`, `.yaml`, `.yml`, `.toml`                 | Package.swift configs                                  |
| **Universal Config Files** | `.txt`, `.conf`, `.config`, `.cfg`, `.ini`        | Generic configuration files                            |
|                            | `.env`                                            | Environment variables (all languages)                  |
|                            | `.json`, `.yaml`, `.yml`, `.xml`, `.toml`         | Common configuration formats                           |

## Detected Secret Types

Corgea's secret scanner can detect a wide range of secret types across different platforms and services:

<AccordionGroup>
  <Accordion title="Cloud Provider Credentials" icon="cloud">
    * AWS Access Keys and Secret Keys
    * Google Cloud API Keys
    * Azure Storage Account Keys
    * Azure Service Principal Credentials
    * DigitalOcean Access Tokens
    * Alibaba Cloud Access Keys
  </Accordion>

  <Accordion title="API Keys and Tokens" icon="key">
    * API keys and tokens
    * Authentication credentials
    * Personal access tokens
    * OAuth tokens
    * Bearer tokens
    * Service account tokens
  </Accordion>

  <Accordion title="Database and Storage" icon="database">
    * Database connection strings
    * MongoDB URIs
    * PostgreSQL connection strings
    * MySQL credentials
    * Redis passwords
    * Storage access keys
  </Accordion>

  <Accordion title="Cryptographic Material" icon="lock">
    * Private keys (RSA, SSH, PGP)
    * SSL/TLS certificates
    * Encryption keys
    * JWT secrets
    * Signing keys
  </Accordion>

  <Accordion title="Payment and Financial" icon="credit-card">
    * Payment gateway credentials
    * Stripe API keys
    * PayPal credentials
    * Square access tokens
  </Accordion>

  <Accordion title="Communication Services" icon="message">
    * Slack tokens and webhooks
    * Twilio API keys
    * SendGrid API keys
    * Mailgun credentials
  </Accordion>

  <Accordion title="Development Tools" icon="code">
    * GitHub tokens
    * GitLab tokens
    * NPM tokens
    * Docker registry credentials
    * CI/CD secrets
  </Accordion>

  <Accordion title="Other Sensitive Data" icon="eye-slash">
    * Internal endpoints
    * Private URLs
    * Environment variables with secrets
    * Hardcoded passwords
    * Authentication cookies
  </Accordion>
</AccordionGroup>

## Detection Results

When secrets are detected, Corgea provides comprehensive information to help you understand and remediate the issue:

<CardGroup cols={2}>
  <Card title="Secret Type" icon="tag">
    Classification of the detected secret (e.g., AWS Access Key, API Token)
  </Card>

  <Card title="Location" icon="map-pin">
    Exact file path and line number where the secret was found
  </Card>

  <Card title="Security Impact" icon="shield-exclamation">
    Assessment of the potential risk and impact of the exposed secret
  </Card>

  <Card title="Remediation Guidance" icon="wrench">
    Actionable steps to secure the secret properly
  </Card>
</CardGroup>

### Prevention Strategies

<Steps>
  <Step title="Pre-commit Hooks">
    Implement [pre-commit](cli#integrating-with-git-hooks) hooks to scan for secrets before code is committed to your repository.
  </Step>

  <Step title="Developer Training">
    Educate your team about the risks of hardcoded secrets and secure alternatives.
  </Step>

  <Step title="Code Reviews">
    Include secret scanning checks as part of your code review process.
  </Step>

  <Step title="Automated Scanning">
    Enable automated secret scanning in your CI/CD pipeline to catch secrets early.
  </Step>
</Steps>

## Integration with Development Workflow

Secret scanning integrates seamlessly into your development workflow:

<CardGroup cols={2}>
  <Card title="Pull Request Scanning" icon="code-pull-request">
    Automatically scan pull requests for secrets before merging
  </Card>

  <Card title="CI/CD Integration" icon="gears">
    Run secret scans as part of your continuous integration pipeline
  </Card>

  <Card title="IDE Extensions" icon="laptop-code">
    Get real-time feedback while coding with IDE integrations
  </Card>

  <Card title="Scheduled Scans" icon="clock">
    Regular repository scans to detect secrets in existing code
  </Card>
</CardGroup>

<Card title="Learn More" icon="book" href="/blast">
  Explore AI-native SAST for comprehensive vulnerability detection beyond secrets
</Card>