Skip to main content
Secrets are access credentials such as passwords, API keys, and personal access tokens that grant access to services and resources. When a secret is committed to a repository, anyone with access to the code, now or later, can use it to reach the services it unlocks. Leaked secrets lead to data breaches, unauthorized access, financial loss, and compliance violations. Endor Labs scans your source code and Git history for leaked secrets so your teams can find and revoke exposed credentials before they are abused.

How secret detection works

Endor Labs detects secrets in stages so that scans stay fast and findings stay actionable:
  • Keyword pre-filter: A fast string check narrows the files that a rule evaluates.
  • Pattern match: A regular expression identifies candidate secrets.
  • Entropy check: An optional Shannon entropy threshold filters out low-randomness matches, such as common words.
  • Validation: For supported credential types, Endor Labs sends a request to the issuing service to determine whether the secret is still active.
Active secrets are raised as critical findings so that you can prioritize them.

Capabilities

Manage secret rules

Use built-in system rules or create custom rules to detect secrets for any service.

Scan for secrets

Scan source code, Git history, changed files, or staged commits with endorctl.

View secret findings

Review, prioritize, and remediate the secrets that Endor Labs detects.

Supported secrets

Endor Labs detects secrets using a large set of built-in system rules that cover common providers and credential formats, including:
  • Cloud provider credentials, such as AWS, Google Cloud, and Azure.
  • Source control and CI tokens, such as GitHub, GitLab, and Bitbucket.
  • API keys for services, such as Slack, Twilio, Datadog, Stripe, and OpenAI.
  • OAuth tokens and personal access tokens.
  • Private keys and certificates.
Endor Labs maintains the system rules and updates them over time. To see the exact rules available in your environment, list them with endorctl.
endorctl api list -r SecretRule -n <your-namespace> --list-all
To detect a credential format that no system rule covers, create a custom rule. See Manage secret rules.

Scan modes

The scan mode determines where rules come from and whether the scan needs to reach Endor Labs. For the commands behind each mode, see Scan for secrets.

Incremental secret scans

Endor Labs scans incrementally so that repeated scans stay fast as your Git history and pull requests grow. Incremental behavior applies in two places.
  • Git history: After the first --git-logs scan examines the full reachable history, later scans examine only the commits added since the last scan. Endor Labs falls back to a full rescan the first time a repository’s history is scanned, and whenever a secret rule in the namespace changes. Run a scan with --force-rescan to re-examine the entire history on demand.
  • Pull requests: Pass --pr-incremental, or enable pull request scans in a monitoring scan, to scan only the files that changed relative to the baseline branch instead of the whole repository. See Perform incremental PR scan.
To limit a single scan to changed files without comparing against a baseline, use --diff-scope.

Secrets deduplication

Duplicate secrets increase the attack surface and the risk of unauthorized access. Managing multiple duplicate secrets can be complex and error-prone. Endor Labs categorizes instances of identical secrets found within your application components and repositories, helping an organization achieve:
  • Efficient prioritization: Simplifies the prioritization of widely dispersed secrets, because more occurrences signify increased exposure and risk.
  • Comprehensive visibility: Ensures you have a complete view of all instances associated with a specific secret, which helps when the secret is discovered or changes.
  • Optimized issue handling: Generates a single finding for multiple instances of a secret, simplifying the work of managing and addressing related findings together.