Catch leaked credentials before they ship.

Over a thousand built-in Rego rules detect hardcoded API keys, tokens and private keys — across source files, binaries and full git history. Wire it into the quality gate and the build fails the moment a secret appears.

Add to your quality gate

Three surfaces, one pass

Source files

Every text file under 1 MiB across the working tree, regex- and entropy-matched.

Binaries

Extracted strings plus EXIF metadata from JPEG / TIFF assets.

Git history

Recursively walks file changes so a rotated-out secret is still caught.

Coverage across the stack

vulnetix secrets --severity high
vulnetix secrets --git-history          # walk commit history, not just the working tree
vulnetix secrets --ignore "test/**"     # skip paths by glob

Outputs SARIF 2.1.0 — drop it straight into the quality gate or any SARIF-aware viewer.

Configure the gate →