dpndncY

Secret scanning

A high-precision secret scanner that combines provider-specific patterns with Shannon-entropy heuristics to catch hard-coded credentials while keeping false positives low. Runs on every scan, as a pre-commit hook, or in CI.

What it detects

Two complementary detectors run together:

  • Pattern detectors — provider-specific shapes with high confidence: AWS access keys & secret keys, GCP service-account keys, Azure connection strings, GitHub / GitLab tokens (PAT, OAuth, app), Slack tokens, Stripe keys, OpenAI / Anthropic API keys, JWTs, SSH / PGP / TLS private keys, and database connection strings (Postgres, MySQL, MongoDB, Redis).
  • Entropy detector — flags high-entropy strings that look like generic secrets (random API keys, base64 blobs) above a per-context Shannon-entropy threshold, so unknown credential formats are still caught.
Precision first
Entropy alone is noisy. dpndncY gates entropy hits with contextual checks (assignment to a key-like identifier, length, charset) so test fixtures and hashes don’t bury the real findings.

Suppression & allowlists

  • Suppress a line inline with a comment annotation (tracked with a reason for audit).
  • Maintain a per-file or per-path allowlist for known-safe fixtures and example values.
inline suppression
const example = "AKIAIOSFODNN7EXAMPLE"; // dpndncy-ignore: documented AWS example key

Run it

CLI
# scan a project
dpndncy scan ./my-app --secrets

# fail CI if any secret is found
dpndncy scan ./my-app --secrets --fail-on secret

Output

  • Per finding: rule id, provider/class, file + line, a redacted preview, and confidence.
  • Exports in SARIF / JSON / CSV alongside the rest of the scan.
Rotate, don't just delete
A secret committed to git history is compromised even after you remove the line. Treat every confirmed finding as a rotation event, then scrub history.