Scan your codebase for leaked secrets — API keys, tokens, passwords, private keys.
Built in Kotlin as a fledge plugin.
fledge plugins install CorvidLabs/fledge-plugin-secrets# Scan current directory
fledge secrets
# Scan a specific path
fledge secrets ./src
# Verbose output (show redacted matches)
fledge secrets -v
# JSON output (for CI pipelines)
fledge secrets -f json
# Markdown output (for PR comments)
fledge secrets -f md
# Also check git history (last 50 commits)
fledge secrets --git-history
# Custom entropy threshold
fledge secrets --min-entropy 5.0
# Skip entropy-based detection
fledge secrets --no-entropy
# Use baseline file to suppress known findings
fledge secrets --baseline .secrets-baseline| Category | Patterns | Severity |
|---|---|---|
| AWS | Access Key ID, Secret Access Key | CRITICAL |
| GitHub | Personal, OAuth, Server, Refresh tokens | CRITICAL/HIGH |
| Stripe | Secret key, Publishable key | CRITICAL/LOW |
| Slack | Bot token, Webhook URL | CRITICAL/HIGH |
| Private Keys | RSA, EC, PGP, OpenSSH | CRITICAL |
| API Key, OAuth Secret | HIGH | |
| Database | Connection strings (postgres, mysql, mongo, redis) | HIGH |
| Heroku | API Key | HIGH |
| Twilio | API Key | HIGH |
| SendGrid | API Key | HIGH |
| npm | Access token | HIGH |
| JWT | JSON Web Tokens | MEDIUM |
| Generic | API key/secret/password/token assignments | MEDIUM |
| Entropy | High-entropy strings in key-like assignments | MEDIUM |
| Algorand | Mnemonic phrases | CRITICAL |
0— No critical or high severity findings1— Critical or high severity findings detected
gradle build
gradle testRequires Java 17+.
MIT