Leaked secrets detection

Pentestas mines every response body, JavaScript bundle, source-map file, and HTTP-history capture for leaked credentials. 106 detector classes covering the providers our customers actually use; 30+ of those classes additionally live-verify the detected secret against the issuer's identity endpoint (with operator opt-in).

Detector coverage

106 classes spanning ten categories:

• Cloud infra — AWS (access key + secret + session token), GCP (API key + service-account JSON + OAuth client secret), Azure (storage connection string + client secret + SAS), DigitalOcean, Cloudflare, Heroku, Linode / Akamai, Vultr, Fly.io, Render.
• Payments — Stripe (live secret + restricted + test + webhook signing), Square, Shopify, PayPal Braintree, Plaid, Adyen.
• Messaging / email — Twilio (Account SID + Key SID + auth token), SendGrid, Mailgun, Postmark, Mailchimp.
• Chat — Slack (token + webhook), Discord (bot + webhook), Telegram, Microsoft Teams webhook.
• Developer platforms — GitHub (PAT + fine-grained + OAuth + user-to-server + server-to-server + refresh), GitLab, Bitbucket, NPM, PyPI, Docker Hub, Snyk, Sentry, Vercel.
• Observability — Datadog (API + app key), PagerDuty, New Relic.
• Identity — Auth0, Okta, Firebase.
• Data / analytics — Mixpanel, Segment, Algolia, Mapbox, MongoDB Atlas, Snowflake, Databricks.
• Productivity — Notion, Linear, Asana, HubSpot.
• AI — OpenAI, Anthropic, Hugging Face, Replicate, Cohere, DeepSeek.
• Crypto / Web3 — Solana / Ethereum / Bitcoin private keys, Alchemy, Infura.
• JWT / OAuth / PEM / DB URIs — JWTs in response bodies, every flavour of PEM private key, FTP / SFTP URIs with inline credentials.

Live verification (opt-in)

For each detector class that has a known identity endpoint (GitHub /user, Stripe /v1/balance, Datadog /api/v1/validate, Slack auth.test, Twilio /2010-04-01/Accounts, etc.) Pentestas can validate the detected secret end-to-end:

• ACTIVE — the issuer accepted the secret on a read-only identity call. This is a CRITICAL finding with verified evidence.
• REVOKED — the issuer returned 401/403. Still a finding (the leak happened), but the impact is contained.
• UNKNOWN — the verifier couldn't reach the issuer within the timeout or hit a transient error. The platform never silently downgrades severity on a connectivity hiccup.

Verification is OFF by default — it leaves an authenticated identity trail in the leaker's account. Turn it on per-scan via Advanced configuration → Live-verify detected secrets, or at the tenant level under Settings.

Verifier coverage

30+ providers ship with live verifiers today: AWS (STS GetCallerIdentity with SigV4 signing), GitHub, GitLab, Stripe, Slack, Discord, Telegram, OpenAI, Anthropic, Hugging Face, Replicate, Twilio, SendGrid, Mailgun, Postmark, Mailchimp, Datadog, PagerDuty, Cloudflare, DigitalOcean, Heroku, Notion, Linear, Asana, HubSpot, NPM, Docker Hub, Snyk, Square, Shopify, Algolia, MongoDB Atlas, GCP (via Maps Geocode probe).

False-positive handling

Every regex is anchored on provider-specific shape (e.g. AWS access keys must start with AKIA followed by exactly 16 uppercase alphanumerics — a random 20-character string in prose won't match). Generic envelopes (api_key=...) require both a key-name shape AND value length AND Shannon entropy above 3.5 — placeholder values like YOUR_API_KEY_HERE are rejected.

Every finding carries the surrounding line as evidence, the rule name, the entropy of the match, and (when live-verify ran) the verification status.

Remediation

Each finding includes a revocation_url linking directly to the provider's secret-management dashboard. The fix is always the same: revoke the leaked secret, rotate to a fresh one, and audit access logs back to the leak's timestamp for unauthorised use.

Related

• Severity scale
• Methodology Library