KeyEnv Scan - Secret Detection
KeyEnv includes a built-in scanner that detects 50+ types of hardcoded secrets in source code: AWS keys, API tokens, private keys, database passwords, and more.
Prerequisites
Requires keyenv CLI: keyenv --version
Install if missing:
curl -fsSL https://keyenv.dev/install.sh | bash
Scanning for Secrets
# Scan current directory
keyenv scan
# Scan specific path
keyenv scan ./src
# Filter by severity (critical, high, medium, low)
keyenv scan --severity high
# JSON output for parsing
keyenv scan --json
The scanner respects .gitignore and .keyenvignore for exclusions.
Understanding Results
Output shows each finding with:
- File path and line number
- Pattern matched (e.g., "AWS Access Key", "GitHub Token")
- Severity level (critical, high, medium, low)
- Masked preview of the matched value
Example:
src/config.js:15 [critical] AWS Access Key ID
AKIAIOSFODNN7EXAMPLE...
Found 3 secrets (1 critical, 2 high)
Pre-commit Hook
Prevent secrets from being committed:
# Install pre-commit hook
keyenv scan --hook
# Remove pre-commit hook
keyenv scan --hook --remove
The hook runs keyenv scan on staged files before each commit and blocks the commit if secrets are found.
Upload Results
Report findings to the KeyEnv dashboard for team visibility:
keyenv scan --upload
Requires an initialized project (keyenv init) and authentication.
Custom Exclusions
Create a .keyenvignore file to exclude paths beyond .gitignore:
# .keyenvignore
test/fixtures/
docs/examples/
*.test.js
Detected Patterns
The scanner detects secrets across these categories:
| Category | Examples | |----------|---------| | Cloud providers | AWS keys, GCP service accounts, Azure tokens | | API keys | Stripe, Twilio, SendGrid, Slack, GitHub | | Authentication | JWTs, OAuth tokens, session secrets | | Databases | Connection strings with passwords | | Cryptographic | Private keys (RSA, EC, PGP), certificates | | Generic | High-entropy strings, base64-encoded secrets |
Common Workflows
Audit a codebase:
keyenv scan --json | jq '.findings | group_by(.severity) | map({severity: .[0].severity, count: length})'
CI pipeline check:
keyenv scan --severity high
# Exit code 1 if secrets found, 0 if clean
Before pushing code:
keyenv scan && git push
Scan to join WeChat group