Secrets
Learn how Seenty detects leaked credentials, API keys, and tokens in your code repositories.
Secrets
Secrets are sensitive credentials -- API keys, access tokens, passwords, private keys, and connection strings -- that have been accidentally committed to source code. A single exposed secret can give an attacker access to your databases, cloud infrastructure, payment systems, or third-party services.
If Seenty detects an exposed secret, rotate the credential immediately. Even if you remove the secret from your code, it remains in your git history and may have already been harvested by automated scanners.
How detection works
Seenty scans your git repositories for patterns that match known secret formats. The scan examines the full git history -- not just the latest commit -- so secrets that were committed and later removed are still detected.
Detection covers a wide range of credential types:
| Secret type | Examples |
|---|---|
| Cloud provider keys | AWS Access Key / Secret Key, Azure Client Secret, GCP Service Account Key |
| Platform tokens | GitHub Personal Access Token, GitLab Token, Bitbucket App Password |
| Database credentials | PostgreSQL connection strings, MongoDB URIs, Redis passwords |
| Payment services | Stripe API keys, PayPal Client Secret |
| Communication services | Twilio Account SID / Auth Token, SendGrid API Key, Slack Bot Token |
| Infrastructure | SSH private keys, TLS/SSL private keys, Docker registry credentials |
| Generic patterns | Passwords in config files, API keys matching common formats, Base64-encoded credentials |
What you see for each finding
Every detected secret includes detailed context to help you locate and remediate it:
- Secret type -- The category of credential detected (e.g., "AWS Access Key", "GitHub Personal Access Token").
- Rule matched -- The specific detection rule that triggered the finding (e.g.,
aws-access-key-id). - File path -- The file where the secret was found (e.g.,
src/config/database.ts). - Line number -- The exact line in the file.
- Commit hash -- The git commit that introduced the secret.
- Severity -- Typically Critical or High, depending on the credential type and potential blast radius.
The actual secret value is partially redacted in the Seenty interface. Only enough characters are shown to help you identify which credential is affected.
How to scan for secrets
Connect your GitHub repositories through the Seenty GitHub App integration. Once connected, Seenty automatically scans for secrets on every push to the repository.
- Go to Integrations > Service Integrations > GitHub.
- Connect your GitHub account and select repositories.
- Scanning begins automatically on the next push.
See GitHub App Integration for full setup instructions.
Remediation steps
When a secret is detected, follow these steps in order:
Rotate the credential immediately
Go to the service that issued the credential (e.g., AWS Console, Stripe Dashboard) and revoke or rotate the exposed key. This is the most urgent step -- removing the secret from code does not prevent its use if it has already been copied.
Remove the secret from your code
Delete the hardcoded credential from your source files. If it was committed to git, consider rewriting history with git filter-branch or BFG Repo-Cleaner to remove it from past commits as well.
Use environment variables or a secrets manager
Replace hardcoded credentials with environment variables, a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault, Doppler), or your platform's built-in secrets handling (e.g., GitHub Actions Secrets, Vercel Environment Variables).
Prevent future leaks
- Add sensitive files to
.gitignore(e.g.,.env,credentials.json,*.pem). - Use a pre-commit hook to catch secrets before they are committed.
- Educate your team about secret hygiene.
Mark the finding as resolved
After rotating and removing the credential, update the finding status in Seenty to Resolved. If the secret is no longer detected in subsequent scans, it will be auto-resolved after 7 days.
False positives
Not every pattern match is a real secret. Test data, example configurations, and placeholder values can trigger false positives. When you encounter one:
- Click on the finding to open its detail view.
- Change the status to False Positive.
- The finding will be excluded from severity counts and will not generate alerts.
Marking a finding as a false positive applies to that specific finding only. If a similar pattern appears in a different file or commit, it will be reported as a new finding.
Plan availability
Secret scanning is available on Starter plans and above. The Hobby plan does not include repository scanning capabilities.