Secret detection
Every av sast scan hunts for hard-coded secrets - API keys, access keys,
private keys, passwords, tokens - and tiers what it finds
REDYELLOWGREEN like every other finding.
What runs
Section titled “What runs”More than one scanner in the series looks for secrets:
- A dedicated secret scanner walks the working tree in directory mode - the files as they exist on disk at the scan path.
- The infrastructure scanner runs its secret checks alongside its misconfiguration checks in the same filesystem pass.
Both run locally as separate, checksum-verified subprocesses; your source never leaves the machine. See Code scanning (SAST) for how the scan series is downloaded, pinned and cached.
How findings are bucketed
Section titled “How findings are bucketed”On the Code Scan page a finding lands in the Secrets category when:
- it came from the dedicated secret scanner - always treated as a secret, or
- its rule or message matches a credential pattern (secret, credential, API key, access key, private key, password, token) - so a code-scanner hit on a hard-coded password buckets as a secret too.
Tiering
Section titled “Tiering”Secret findings use the same SARIF-to-tier mapping as all SAST findings: a
security-severity score of 7.0 or higher is
RED, 4.0 or higher is
YELLOW; without a score, SARIF level
error maps to RED and warning to YELLOW. The full mapping is on
Code scanning (SAST).
Gate your CI
Section titled “Gate your CI”Run the full scan series in your pipeline and fail the build on any RED finding. Secret findings are tiered alongside every other finding, so one gate covers a leaked credential and everything else the series detects:
av sast scan --path . --fail-on redSee also
Section titled “See also”- Code scanning (SAST) - the scan series, tiering and local-first design
av sast scan- run a local scan- IaC misconfiguration - the other half of the infrastructure scanner’s pass