Secret Detection — Finding leaked keys
A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.
What it is
Detector class that flags strings looking like credentials in source files.
Why it's useful
Stops .env values, OAuth tokens, or private keys from reaching git history.
How Decoder implements it
Provider regex catalog + Shannon entropy threshold + path heuristics (.env*, config/*).
When to use it
Before committing, before publishing, and on every CI run.
When NOT to use it
Test fixtures with obvious dummy keys — add a comment to suppress.
Practical example
An AKIA... string in src/config.ts is flagged Critical with CWE-798.
FAQ
Glossary
- Entropy
- Measure of randomness — high entropy suggests a real secret.
- CWE-798
- Use of Hard-coded Credentials.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
Entropy is a statistical measure of how 'random' the bytes in a file look. In malware analysis, abnormally high entropy is a strong signal that a section is packed, encrypted or otherwise obfuscated.
CWE (Common Weakness Enumeration) is the MITRE taxonomy of software weaknesses. Decoder attaches a CWE ID where applicable so findings are comparable across tools and reports.
SAST inspects source code to find security weaknesses before runtime. Decoder ships SAST as a free, no-key feature across 20+ languages.
Python is a first-class format in Decoder. Upload a single .py, a ZIP, or import a GitHub repo and get static + malware findings.
JavaScript and TypeScript are first-class in Decoder. Upload single files, ZIPs, or import a GitHub repo.
Java is supported as a first-class format. Rules cover the common enterprise weakness classes mapped to CWE.
Dockerfiles are configuration that becomes runtime. Decoder flags the common foot-guns before they hit your registry.