Back to blog
July 13, 2026

How to Detect Secrets in Code: A Guide to Preventing API Key Leaks

Learn how to detect secrets in source code, configuration files, and log files. Learn about Shannon entropy checks, AWS keys, and automated scanners.

How to Detect Secrets in Code: A Guide to Preventing API Key Leaks

Credential leaks are one of the most common and damaging security threats in modern software development. An developer accidentally commits a .env file or hardcodes an API key in a source file, pushes it to GitHub, and within minutes, automated bots scrape it to launch unauthorized infrastructure, download customer databases, or drain billing balances.

In this guide, we will explore why secrets leakage is so prevalent, review concrete examples of leaked API keys, and explain how to programmatically detect secrets in your codebase before they reach remote repositories.


The Scale of the Secrets Exposure Crisis

Every day, thousands of unique credentials (AWS access keys, database passwords, Stripe keys, private certificates) are committed to public version control. Once committed, the secret must be considered compromised. Even if the commit is deleted, it remains in the Git history and in various caching archives.

Manual code reviews are not sufficient to catch these leaks. Security engineering teams need automated scanning methods that check files during the development phase and inside CI/CD pipelines.


1. Signature-Based Secret Detection

The first and most reliable detection method uses signature matching (regular expressions) targeting specific structures of known providers. Many security keys follow standardized prefixes and character lengths.

Cloud Provider Credentials (AWS)

AWS Access Key IDs follow a distinct format: 20-character uppercase alphanumeric strings starting with AKIA or ASIA.

  • Pattern: \b(AKIA[0-9A-Z]{16})\b

Code Hosting Tokens (GitHub)

GitHub personal access tokens and OAuth credentials use specific prefixes:

  • OAuth tokens: gho_ followed by 36 characters.
  • User tokens: ghp_ followed by 36 characters.
  • Fine-grained tokens: github_pat_ followed by 82 characters.
  • Pattern: \b(gh[po]_[a-zA-Z0-9]{36,40}|github_pat_[a-zA-Z0-9]{82})\b

Payment Gateways (Stripe)

Stripe live credentials use distinct keys prefixed with sk_live_ (secret keys) or pk_live_ (publishable keys).

  • Pattern: \b((?:sk|pk)_live_[0-9A-Z]{24,})\b

Chat & Webhook integrations (Slack)

Slack OAuth access tokens are prefixed with xoxb- (bot tokens) or xoxp- (user tokens) and follow a three-segment structure separated by dashes.

  • Pattern: \b(xox[bp]-[0-9a-zA-Z]{10,12}-[0-9a-zA-Z]{10,12}-[0-9a-zA-Z]{10,24})\b

2. Shannon Entropy Checks

Signature matching works well for structured tokens, but generic passwords, custom database connection strings, and encryption keys do not have specific prefixes. To detect these, security tools use Shannon Entropy metrics.

Shannon entropy measures the degree of randomness or "uncertainty" in a string of characters. While English words have low entropy (characters repeat in predictable combinations), cryptographically secure API keys, password hashes, and certificates exhibit high entropy.

The entropy $H(X)$ of a string $X$ is calculated using the formula:

$$ H(X) = -\sum_^ P(x_i) \log_2 P(x_i) $$

Where $P(x_i)$ is the probability of character $x_i$ appearing in the string.

High Entropy Thresholds

  • benign text: "database_connection_setup_config" (Entropy: ~3.1)
  • random key: "8f9a2b7c6d4e1f5a0b3c8d9e2a7b6c4" (Entropy: ~3.8)
  • high entropy secret: "k$F9#m@Z!2qP*x9%yW1&L" (Entropy: > 4.5)

Scanning systems look for strings longer than 20 characters with a Shannon entropy score exceeding 4.5 to flag potential raw credentials.


3. Database Connection String Extraction

Connection strings are highly sensitive because they contain hostnames, ports, and usernames alongside unencrypted passwords. Scanners search for protocol schemas like postgresql://, postgres://, mongodb://, or redis:// followed by credentials.

  • Pattern: \b(?:postgresql|postgres|mongodb|redis):\/\/[a-zA-Z0-9_.-]+:[a-zA-Z0-9_.-]+@[a-zA-Z0-9_.-]+:\d+\b

How to Scan Your Files Locally

To audit your configurations, environment files, logs, or source code for leaked secrets without exposing your keys to the cloud, use our free Secret Leak Scanner. Running 100% locally in your browser memory, it parses your text and flags credentials immediately.

For redacting personally identifiable information (PII) from system logs, use our GDPR Log Scrubber. To understand structural API security, check out our analysis of The Shadow API Crisis.

Herramienta Asociada

¿Listo para usar la herramienta Escáner de Fugas de Secretos? Todo el procesamiento es local.

Abrir Escáner de Fugas de Secretos