.avif)
Review
“Aikido makes your security one of your USPs thanks to their integrated automated reporting solution, which helps for ISO & SOC2 certification”
Fabrice G
Managing director at Kadonation
.png)
Secrets Detection
Catch Leaked Secrets Before Hackers Do
Aikido scans your code for exposed API keys, credentials, and tokens—before they ever reach production.
Surfaces the most critical secrets- Maintenance-free CI/CD integration
- Ignores safe or inactive secrets
.avif)
Chosen by 25,000+ orgs worldwide
Importance of Secrets Detection
Why Secrets Scanning Matters
One of the most common mistakes developers make is accidentally leaking secrets. These include sensitive credentials like API keys, passwords, encryption keys, private keys, and more—any of which could allow attackers to access or steal confidential data.
Doesn’t bug you with known to be safe secrets
Recognizes secrets that are known to be safe and auto-triages them (e.g. Stripe publishable keys, Google Maps API keys used in front-end) so they don’t trigger alerts.
Filters Out Irrelevant Secrets
Aikido will ignore secrets that have been verified as expired or revoked, or appear to be variables. Aikido safely verifies the validity of known secret types by sending a request to an API endpoint requiring authorization that doesn't produce sensitive data.
Advanced Features
Secrets Scanning Features
Stop Secrets Before They Ship
Detect Active Secrets
Full Coverage in One Platform
Replace your scattered toolstack with one platform that does it all—and shows you what matters.
FAQ
More to explore
What is secret detection, and why should I worry about leaked API keys or credentials in my code?
Secret detection scans your code for exposed API keys, passwords, tokens, and credentials. Leaked secrets can give attackers direct access to your systems, leading to data breaches or costly cloud misuse. Even a single AWS key in a repo can be exploited. Secret scanning helps catch these issues before they're pushed or merged, protecting your infrastructure from unauthorized access.
How does Aikido's secrets scanning work, and what types of secrets can it catch (API keys, tokens, passwords)?
Aikido scans your code and config files for known secret patterns and high-entropy strings. It detects API keys, tokens, private keys, DB creds, and more. Using pattern matching, entropy analysis, and validation logic, it identifies real secrets while minimizing false alarms. It flags anything sensitive enough to be dangerous if exposed.
Does Aikido scan my entire git history for secrets, or just the latest code commits?
By default, Aikido scans the current code, but it can also scan full Git history to catch secrets exposed in old commits. Historical scanning is optional and configurable - ideal for detecting secrets that were added and removed but still accessible in repo history.
How can I integrate Aikido's secret scanning into my workflow (CI pipeline or pre-commit hooks) to catch leaks early?
You can integrate Aikido into CI pipelines, blocking builds or PRs with detected secrets. It also supports IDE extensions and pre-commit hooks for real-time feedback during development. This ensures secret detection happens automatically - before secrets hit production branches.
Does Aikido produce a lot of false positives in secret detection (for example, mistaking random IDs for secrets)?
Aikido is optimized to reduce false positives. It avoids flagging known public keys (e.g., Stripe publishable keys) and filters out test values or random data. When possible, it verifies secrets for validity before raising alerts, so the results you get are relevant and actionable.
Can I configure Aikido's secret scanner to ignore certain patterns or known test credentials?
Yes. You can add ignore rules, patterns, or annotations to prevent Aikido from flagging known test values. You can also mark findings as "won't fix" or safe in the dashboard. This tuning helps reduce alert fatigue and lets you control what gets flagged.
If Aikido finds a leaked secret, what does it do - alert me, block the commit, help me revoke it?
Aikido alerts you immediately and can block the commit or build (if integrated into CI). It shows the file, line, and key type, and recommends revoking the secret. While Aikido doesn't revoke keys directly, it highlights active credentials and guides you on what to do next.
How does Aikido's secret scanning compare to tools like GitGuardian or Gitleaks?
Aikido offers detection quality on par with GitGuardian/Gitleaks but integrates secret scanning into a broader security platform. It reduces noise with contextual triage and unifies alerts across code, cloud, IaC, and secrets. It's one tool for all risks - no juggling multiple platforms.
Does Aikido detect secrets only in source code, or also in config files and other places like YAMLs?
Yes, it scans all text files - code, YAML, JSON, .env files, Terraform, commit messages, and more. Secrets often hide in configs or manifests, and Aikido checks them all to catch accidental leaks wherever they appear.
If we already use GitHub's secret scanning or pre-commit hooks, why do we need Aikido's secret detection?
Aikido complements GitHub scanning and hooks with broader coverage (multi-platform support), centralized alerting, and deeper context. It doesn't rely on dev setup, reduces false positives, and catches secrets across all repos - even if hooks are bypassed. It adds layered protection and better visibility.
More to explore
Get secure for free
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
.avif)
