SC

scan-secrets

v0.1.0 tool

Scan evidence pack artifacts for potential secrets and credentials

by locktivity Source Docs

Install

epack install tool scan-secrets

Adds to epack.yaml, resolves dependencies, downloads binary.

Usage

Run the tool on an evidence pack:

epack tool scan-secrets --pack ./evidence.pack

Pass tool-specific arguments after --

Configuration

Or add manually to epack.yaml:

tools:
  scan-secrets:
    source: https://github.com/locktivity/epack-tool-scan-secrets

Then run epack install to lock and sync.

Overview

epack-tool-scan-secrets is an epack tool that scans evidence pack artifacts for potential secrets and credentials. It uses pattern matching and entropy analysis to identify likely sensitive data.

How It Works

The tool scans all artifacts in an evidence pack and checks for:

  1. Known Secret Patterns: Regular expressions that match common credential formats
  2. High-Entropy Strings: Strings with Shannon entropy ≥ 4.5 bits/character (indicating likely encoded secrets)

The tool works out of the box with sensible defaults, but detection sensitivity and scope can be customized via configuration. See configuration.md for details.

Detected Secret Types

Type Description
aws_access_key AWS Access Key ID (AKIA...)
aws_secret_key AWS Secret Access Key
api_key Generic API key patterns
github_token GitHub personal access tokens
slack_token Slack API tokens
private_key RSA, EC, DSA, OpenSSH, or PGP private keys
password Password/secret patterns in config files
jwt_token JSON Web Tokens
connection_string Database connection strings (MongoDB, PostgreSQL, MySQL, Redis, AMQP)
high_entropy High-entropy strings that may be encoded secrets

Output

The tool outputs a detections.json file containing:

{
  "total": 3,
  "by_type": {
    "aws_access_key": 1,
    "private_key": 2
  },
  "by_severity": {
    "warning": 3
  },
  "detections": [
    {
      "path": "config/credentials.json",
      "type": "aws_access_key",
      "description": "Possible AWS Access Key ID detected",
      "severity": "warning"
    }
  ]
}

Limitations

This tool uses heuristics and is best-effort only:

  • False positives: Some legitimate data may be flagged (e.g., test fixtures, example values). Use ignore_paths to exclude known false positive sources.
  • False negatives: Some secrets may not be detected (e.g., custom formats, obfuscated values)
  • Binary files: Skipped automatically (detected by null bytes)

Use this tool as one layer of defense, not as the sole method for secret detection.

Configuration

epack-tool-scan-secrets works out of the box with sensible defaults, but can be customized for your environment.

Tool Requirements

Requirement Value
Requires Pack Yes
Network Access No

Configuration Options

All configuration options are optional. The tool uses sensible defaults when no configuration is provided.

Option Type Default Description
entropy_threshold float 4.5 Minimum Shannon entropy (bits/char) to flag a string
min_entropy_length int 20 Minimum string length for entropy checks
ignore_paths []string [] Glob patterns for paths to skip
disabled_detectors []string [] Detector types to disable

Available Detectors

The following detector types can be disabled via disabled_detectors:

Detector Description
aws_access_key AWS Access Key IDs (AKIA...)
aws_secret_key AWS Secret Access Keys
api_key Generic API key patterns
github_token GitHub personal access tokens
slack_token Slack API tokens
private_key PEM-encoded private keys
password Password assignment patterns
jwt_token JSON Web Tokens
connection_string Database connection URIs
high_entropy High-entropy strings (encoded secrets)

Usage

Via epack CLI

# Run with defaults
epack tool run scan-secrets --pack ./my-evidence.epack

# Run with config file
epack tool run scan-secrets --pack ./my-evidence.epack --config scan-config.json

Via epack Build

Add to your build configuration to automatically scan during pack creation:

# epack.yaml
tools:
  scan-secrets:
    source: locktivity/epack-tool-scan-secrets@v1
    config:
      entropy_threshold: 4.0
      ignore_paths:
        - "testdata/**"
        - "*.test.json"
      disabled_detectors:
        - high_entropy

Configuration Examples

Reduce False Positives

Lower the entropy threshold and ignore test fixtures:

tools:
  scan-secrets:
    source: locktivity/epack-tool-scan-secrets@v1
    config:
      entropy_threshold: 5.0
      min_entropy_length: 30
      ignore_paths:
        - "testdata/**"
        - "fixtures/**"
        - "*.test.*"

Focus on Specific Secrets

Disable detectors you don't need:

tools:
  scan-secrets:
    source: locktivity/epack-tool-scan-secrets@v1
    config:
      disabled_detectors:
        - slack_token
        - high_entropy

Increase Sensitivity

Lower thresholds to catch more potential secrets (may increase false positives):

tools:
  scan-secrets:
    source: locktivity/epack-tool-scan-secrets@v1
    config:
      entropy_threshold: 3.5
      min_entropy_length: 16

Output Files

File Description
detections.json JSON file containing all secret detections

Warnings

The tool adds warnings to the pack's result.json for each detection:

{
  "warnings": [
    {
      "code": "SECRET_DETECTED",
      "message": "aws_access_key: Possible AWS Access Key ID detected",
      "path": "config/credentials.json"
    }
  ]
}

Examples

Basic Usage

Run the tool on an evidence pack:

epack tool run scan-secrets --pack ./my-evidence.epack

Interpreting Results

Clean Scan

{
  "total": 0,
  "by_type": {},
  "by_severity": {},
  "detections": []
}

No potential secrets were detected in the pack.

Detections Found

{
  "total": 2,
  "by_type": {
    "aws_access_key": 1,
    "password": 1
  },
  "by_severity": {
    "warning": 2
  },
  "detections": [
    {
      "path": "artifacts/config.json",
      "type": "aws_access_key",
      "description": "Possible AWS Access Key ID detected",
      "severity": "warning"
    },
    {
      "path": "artifacts/database.yml",
      "type": "password",
      "description": "Possible password pattern detected",
      "severity": "warning"
    }
  ]
}

Common Detection Scenarios

AWS Credentials

# Detected pattern
AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Private Keys

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0Z3VS5JJcds...
-----END RSA PRIVATE KEY-----

JWT Tokens

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U

Connection Strings

mongodb://user:password@localhost:27017/mydb
postgres://admin:secret@db.example.com:5432/production

Handling False Positives

If the tool flags legitimate values (e.g., test fixtures), you can:

  1. Document known false positives in your pack metadata
  2. Use separate test data that doesn't match secret patterns
  3. Review detections as part of your pack validation process

Integration with CI/CD

Run secret scanning as part of your evidence pack pipeline:

# GitHub Actions example
- name: Scan for secrets
  run: |
    epack tool run scan-secrets --pack ./evidence.epack
    # Check for warnings in result.json
    if jq -e '.warnings | length > 0' result.json > /dev/null; then
      echo "Warning: Potential secrets detected"
      jq '.warnings' result.json
    fi
v0.1.0 Latest
2026-02-24

**Full Changelog**: https://github.com/locktivity/epack-tool-scan-secrets/commits/v0.1.0

darwin/amd64 darwin/arm64 linux/amd64 linux/arm64

Install

epack install tool scan-secrets

Details

Publisher
locktivity
Latest
v0.1.0
Protocol
v1

Platforms

darwin/amd64 darwin/arm64 linux/amd64 linux/arm64

Links