capability
Analysis
#secrets
#api-keys
#credentials
#leak

Secret Detection — Finding leaked keys

A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.

What it is

Detector class that flags strings looking like credentials in source files.

Why it's useful

Stops .env values, OAuth tokens, or private keys from reaching git history.

How Decoder implements it

Provider regex catalog + Shannon entropy threshold + path heuristics (.env*, config/*).

When to use it

Before committing, before publishing, and on every CI run.

When NOT to use it

Test fixtures with obvious dummy keys — add a comment to suppress.

Practical example

An AKIA... string in src/config.ts is flagged Critical with CWE-798.

FAQ

Glossary

Entropy
Measure of randomness — high entropy suggests a real secret.
CWE-798
Use of Hard-coded Credentials.

Related