Aikido
Secrets Detection

Catch Leaked Secrets Before Hackers Do

Aikido scans your code for exposed API keys, credentials, and tokens—before they ever reach production.

  • Surfaces the most critical secrets
  • Maintenance-free CI/CD integration
  • Ignores safe or inactive secrets
Your data won't be shared · Read-only access · No CC required
Dashboard with autofixes tab

Chosen by 25,000+ orgs worldwide

Importance of Secrets Detection

Why Secrets Scanning Matters

One of the most common mistakes developers make is accidentally leaking secrets. These include sensitive credentials like API keys, passwords, encryption keys, private keys, and more—any of which could allow attackers to access or steal confidential data.

Vanta

Doesn’t bug you with known to be safe secrets

Recognizes secrets that are known to be safe and auto-triages them (e.g. Stripe publishable keys, Google Maps API keys used in front-end) so they don’t trigger alerts.

Vanta

Filters Out Irrelevant Secrets

Aikido will ignore secrets that have been verified as expired or revoked, or appear to be variables. Aikido safely verifies the validity of known secret types by sending a request to an API endpoint requiring authorization that doesn't produce sensitive data.

Advanced Features

Secrets Scanning Features

Stop Secrets Before They Ship

Integrates secrets scanning into your CI/CD pipeline, catching leaked secrets before code is merged or deployed.

Instant Warnings in Your IDE

Warns developers about secrets before they commit code.

Detect Active Secrets

Aikido's Live Secret Detection feature checks if exposed secrets are still active and assesses their potential risks. Based on the outcome, the issue's severity will be changed.

Full Coverage in One Platform

Replace your scattered toolstack with one platform that does it all—and shows you what matters.

Code

Dependencies

Find vulnerable open-source packages in your dependencies, including transitive ones.

Learn more
Cloud

Cloud (CSPM)

Detects cloud infrastructure risks (misconfigurations, VMs, Container images) across major cloud providers.

Learn more
Code

Secrets

Checks your code for leaked and exposed API keys, passwords, certificates, encryption keys, etc...

Learn more
Code

Static Code Analysis (SAST)

Scans your source code for security risks before an issue can be merged.

Learn more
Code

Infrastructure as Code Scanning (IaC)

Scans Terraform, CloudFormation & Kubernetes infrastructure-as-code for misconfigurations.

Learn more
Test

Dynamic Testing (DAST)

Dynamically tests your web app’s front-end & APIs to find vulnerabilities through simulated attacks.

Learn more
Code

License Risk & SBOMs

Monitors your licenses for risks such as dual licensing, restrictive terms, bad reputation, etc... And generate SBOMs.

Learn more
Code

Outdated Software (EOL)

Checks if any frameworks & runtimes you are using are no longer maintained.

Learn more
Cloud

Container Images

Scans your container images for packages with security issues.

Learn more
Code

Malware

Prevent malicious packages from infiltrating your software supply chain. Powered by Aikido Intel.

Learn more
Test

API Scanning

Automatically map out and scan your API for vulnerabilities.

Learn more
Cloud

Virtual Machines

Scans your virtual machines for vulnerable packages, outdated runtimes and risky licenses.

Learn more
Defend

Runtime Protection

An in-app firewall for peace of mind. Automatically block critical injection attacks, introduce API rate limiting & more

Learn more
Code

IDE Integrations

Fix issues as you code– not after. Get in-line advice to fix vulnerabilities before commit.

Learn more
Code

On-Prem Scanner

Run Aikido’s scanners inside your environment.

Learn more
Code

CI/CD Security

Automate security for every build & deployment.

Learn more
Cloud

AI Autofix

One-click fixes for SAST, IaC, SCA & containers.

Learn more
Cloud

Cloud Asset Search

Search your entire cloud environment with simple queries to instantly find risks, misconfigurations, and exposures.

Learn more

Review

“Aikido makes your security one of your USPs thanks to their integrated automated reporting solution, which helps for ISO & SOC2 certification”

Fabrice G

Managing director at Kadonation

What is secret detection, and why should I worry about leaked API keys or credentials in my code?

Secret detection scans your code for exposed API keys, passwords, tokens, and credentials. Leaked secrets can give attackers direct access to your systems, leading to data breaches or costly cloud misuse. Even a single AWS key in a repo can be exploited. Secret scanning helps catch these issues before they're pushed or merged, protecting your infrastructure from unauthorized access.

How does Aikido's secrets scanning work, and what types of secrets can it catch (API keys, tokens, passwords)?

Aikido scans your code and config files for known secret patterns and high-entropy strings. It detects API keys, tokens, private keys, DB creds, and more. Using pattern matching, entropy analysis, and validation logic, it identifies real secrets while minimizing false alarms. It flags anything sensitive enough to be dangerous if exposed.

Does Aikido scan my entire git history for secrets, or just the latest code commits?

By default, Aikido scans the current code, but it can also scan full Git history to catch secrets exposed in old commits. Historical scanning is optional and configurable - ideal for detecting secrets that were added and removed but still accessible in repo history.

How can I integrate Aikido's secret scanning into my workflow (CI pipeline or pre-commit hooks) to catch leaks early?

You can integrate Aikido into CI pipelines, blocking builds or PRs with detected secrets. It also supports IDE extensions and pre-commit hooks for real-time feedback during development. This ensures secret detection happens automatically - before secrets hit production branches.

Does Aikido produce a lot of false positives in secret detection (for example, mistaking random IDs for secrets)?

Aikido is optimized to reduce false positives. It avoids flagging known public keys (e.g., Stripe publishable keys) and filters out test values or random data. When possible, it verifies secrets for validity before raising alerts, so the results you get are relevant and actionable.

Can I configure Aikido's secret scanner to ignore certain patterns or known test credentials?

Yes. You can add ignore rules, patterns, or annotations to prevent Aikido from flagging known test values. You can also mark findings as "won't fix" or safe in the dashboard. This tuning helps reduce alert fatigue and lets you control what gets flagged.

If Aikido finds a leaked secret, what does it do - alert me, block the commit, help me revoke it?

Aikido alerts you immediately and can block the commit or build (if integrated into CI). It shows the file, line, and key type, and recommends revoking the secret. While Aikido doesn't revoke keys directly, it highlights active credentials and guides you on what to do next.

How does Aikido's secret scanning compare to tools like GitGuardian or Gitleaks?

Aikido offers detection quality on par with GitGuardian/Gitleaks but integrates secret scanning into a broader security platform. It reduces noise with contextual triage and unifies alerts across code, cloud, IaC, and secrets. It's one tool for all risks - no juggling multiple platforms.

Does Aikido detect secrets only in source code, or also in config files and other places like YAMLs?

Yes, it scans all text files - code, YAML, JSON, .env files, Terraform, commit messages, and more. Secrets often hide in configs or manifests, and Aikido checks them all to catch accidental leaks wherever they appear.

If we already use GitHub's secret scanning or pre-commit hooks, why do we need Aikido's secret detection?

Aikido complements GitHub scanning and hooks with broader coverage (multi-platform support), centralized alerting, and deeper context. It doesn't rely on dev setup, reduces false positives, and catches secrets across all repos - even if hooks are bypassed. It adds layered protection and better visibility.

Get secure for free

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

No credit card required |Scan results in 32secs.