Secret & Credential Detection

Find leaked credentials in your code and git history.

Deleting a secret from your codebase doesn't remove it from git history. Lumstep uses Kingfisher to scan both your working tree and every commit in your repository's history - including files that were deleted long ago. It detects API keys, OAuth tokens, private keys, passwords, connection strings, and CI/CD secrets across 200+ service patterns, and where the provider API allows it, validates whether each credential is still active.

AWS access key in infra/deploy.shCritical
AKIA••••••••EXAMPLE · line 47 · still active
GitHub personal token in scripts/ci.shHigh
found 312 commits back · flagged 2 min after the push

Secret & Credential Detection

How Lumstep's secret scanning works

Lumstep scans your current code and your entire git history - with no configuration on your end.

Scan scope
Working treeCurrent state of every file
Scanned
Git historyEvery commit, every branch
Scanned
Deleted filesStill present in history
Scanned
Configuration requiredNone →
On every push

Full history scan

Kingfisher traverses your entire git history on each scan - every commit, every branch, including deleted files - and checks for credentials matching 200+ service-specific patterns.

Stripe secret key in .env.exampleCritical
sk_live_•••• · committed 2 years ago · deleted since
Slack webhook URL in notify.pyHigh
hooks.slack.com/services/•••• · line 12
Automatically

Live validation

For providers that expose a validation endpoint, Lumstep tests each detected credential to determine whether it is still active or has already been revoked.

Live validity checks
AWS access keyTested against STS
Still active
GitHub tokenTested against GitHub API
Already revoked
Providers supportedAWS, GitHub, Stripe, Slack, GCP →
Instantly

Precise report

Each finding is reported with the exact file, line, commit hash, and credential type. Your team gets actionable information, not a list of maybes.

Report contents
File & lineinfra/deploy.sh:47
Included
Commit hasha3f9c2e
Included
Credential typeAWS access key
Included
Guesswork requiredNone →
Complete detection, no false positives to wade through

Git history is fully covered

A secret committed three years ago and deleted the next day is still in your repository. Lumstep scans every commit, not just the current state of the files - so a credential that was "cleaned up" but never rotated is caught.

Coverage over time
Current filesWorking tree state
Scanned
Deleted 3 years agoStill in git history
Still caught
"Cleaned up" but never rotatedStill flagged →
Complete detection, no false positives to wade through

Live validity checks

For supported providers - AWS, GitHub, Stripe, Slack, Google Cloud, and others - Lumstep tests whether the detected credential still works. A live key that needs revoking is not treated the same as a key that was already rotated.

Providers validated
AWSAccess key validity
Supported
GitHubToken validity
Supported
Stripe / Slack / GCPKey & token validity
Supported
Live vs. rotatedTreated differently →
Complete detection, no false positives to wade through

Exact location, no noise

Every finding includes the file path, line number, and the commit hash where the secret appeared. High-precision patterns and entropy-based filtering mean you get real findings, not a list of false positives to wade through.

Precision filtering
Pattern matching200+ service-specific patterns
High precision
Entropy filteringReduces generic false positives
Applied
NoiseFiltered out →
Complete detection, no false positives to wade through

Flagged within minutes of the push

Every push triggers a full scan. Exposed secrets are flagged long before a periodic scanner or manual review would catch them - while the exploitation window is still closed.

Detection timing
Periodic scannerRuns on a schedule
Slower
LumstepRuns on every push
Minutes
Exploitation windowClosed faster →

Scan your history for exposed credentials.

Free early access. Detection covers your full history from the first scan.

Get early access