Three surfaces, one pass
Source files
Every text file under 1 MiB across the working tree, regex- and entropy-matched.
Binaries
Extracted strings plus EXIF metadata from JPEG / TIFF assets.
Git history
Recursively walks file changes so a rotated-out secret is still caught.
Coverage across the stack
- Cloud providers — AWS, Azure, GCP, Alibaba, DigitalOcean, OCI keys & tokens
- Source control — GitHub PAT / App, GitLab, Bitbucket, Azure DevOps
- AI providers — OpenAI, Anthropic, Gemini, Cohere, Mistral, Hugging Face
- Payments — Stripe, Square, Shopify, PayPal, Braintree, Adyen
- Private keys — RSA, EC, OpenSSH, PGP, age, WireGuard, PKCS#12
- Database URLs — Postgres, MySQL, MongoDB, Redis, Snowflake
vulnetix secrets --severity high vulnetix secrets --git-history # walk commit history, not just the working tree vulnetix secrets --ignore "test/**" # skip paths by glob
Outputs SARIF 2.1.0 — drop it straight into the quality gate or any SARIF-aware viewer.