How secret detection works
Endor Labs detects secrets in stages so that scans stay fast and findings stay actionable:- Keyword pre-filter: A fast string check narrows the files that a rule evaluates.
- Pattern match: A regular expression identifies candidate secrets.
- Entropy check: An optional Shannon entropy threshold filters out low-randomness matches, such as common words.
- Validation: For supported credential types, Endor Labs sends a request to the issuing service to determine whether the secret is still active.
Capabilities
Manage secret rules
Use built-in system rules or create custom rules to detect secrets for any service.
Scan for secrets
Scan source code, Git history, changed files, or staged commits with endorctl.
View secret findings
Review, prioritize, and remediate the secrets that Endor Labs detects.
Supported secrets
Endor Labs detects secrets using a large set of built-in system rules that cover common providers and credential formats, including:- Cloud provider credentials, such as AWS, Google Cloud, and Azure.
- Source control and CI tokens, such as GitHub, GitLab, and Bitbucket.
- API keys for services, such as Slack, Twilio, Datadog, Stripe, and OpenAI.
- OAuth tokens and personal access tokens.
- Private keys and certificates.
Scan modes
The scan mode determines where rules come from and whether the scan needs to reach Endor Labs. For the commands behind each mode, see Scan for secrets.Incremental secret scans
Endor Labs scans incrementally so that repeated scans stay fast as your Git history and pull requests grow. Incremental behavior applies in two places.- Git history: After the first
--git-logsscan examines the full reachable history, later scans examine only the commits added since the last scan. Endor Labs falls back to a full rescan the first time a repository’s history is scanned, and whenever a secret rule in the namespace changes. Run a scan with--force-rescanto re-examine the entire history on demand. - Pull requests: Pass
--pr-incremental, or enable pull request scans in a monitoring scan, to scan only the files that changed relative to the baseline branch instead of the whole repository. See Perform incremental PR scan.
--diff-scope.
Secrets deduplication
Duplicate secrets increase the attack surface and the risk of unauthorized access. Managing multiple duplicate secrets can be complex and error-prone. Endor Labs categorizes instances of identical secrets found within your application components and repositories, helping an organization achieve:- Efficient prioritization: Simplifies the prioritization of widely dispersed secrets, because more occurrences signify increased exposure and risk.
- Comprehensive visibility: Ensures you have a complete view of all instances associated with a specific secret, which helps when the secret is discovered or changes.
- Optimized issue handling: Generates a single finding for multiple instances of a secret, simplifying the work of managing and addressing related findings together.