Secret scanning
A high-precision secret scanner that combines provider-specific patterns with Shannon-entropy heuristics to catch hard-coded credentials while keeping false positives low. Runs on every scan, as a pre-commit hook, or in CI.
What it detects
Two complementary detectors run together:
- Pattern detectors — provider-specific shapes with high confidence: AWS access keys & secret keys, GCP service-account keys, Azure connection strings, GitHub / GitLab tokens (PAT, OAuth, app), Slack tokens, Stripe keys, OpenAI / Anthropic API keys, JWTs, SSH / PGP / TLS private keys, and database connection strings (Postgres, MySQL, MongoDB, Redis).
- Entropy detector — flags high-entropy strings that look like generic secrets (random API keys, base64 blobs) above a per-context Shannon-entropy threshold, so unknown credential formats are still caught.
Precision first
Entropy alone is noisy. dpndncY gates entropy hits with contextual checks (assignment to a key-like identifier, length, charset) so test fixtures and hashes don’t bury the real findings.
Suppression & allowlists
- Suppress a line inline with a comment annotation (tracked with a reason for audit).
- Maintain a per-file or per-path allowlist for known-safe fixtures and example values.
inline suppression
const example = "AKIAIOSFODNN7EXAMPLE"; // dpndncy-ignore: documented AWS example keyRun it
CLI
# scan a project
dpndncy scan ./my-app --secrets
# fail CI if any secret is found
dpndncy scan ./my-app --secrets --fail-on secretOutput
- Per finding: rule id, provider/class, file + line, a redacted preview, and confidence.
- Exports in SARIF / JSON / CSV alongside the rest of the scan.
Rotate, don't just delete
A secret committed to git history is compromised even after you remove the line. Treat every confirmed finding as a rotation event, then scrub history.