Secret Detection

Detect hardcoded secrets in your codebase using pattern matching and entropy analysis. Supports AWS, Azure, GCP, Stripe, and 40+ other secret types.

How It Works

Secret detection uses two methods:

Pattern Matching - Regex patterns for known secret formats (AWS keys, API tokens)
Entropy Analysis - Detects high-entropy strings that may be secrets

builder.Services.AddPrimusSecurity(opts =>
{
    opts.EnableSecretDetection = true;
});

Supported Secret Types

Category	Patterns
AWS	Access Key ID, Secret Access Key
Azure	Connection Strings, Storage Keys
GCP	Service Account Keys
Stripe	API Keys (Live & Test)
GitHub	Personal Access Tokens
Generic	Private Keys (RSA, DSA, EC), High Entropy Strings

API Usage

Detect Secrets in Content

[HttpPost("detect-secrets")]
public IActionResult DetectSecrets([FromBody] DetectSecretsRequest request)
{
    var patternProvider = new FileSecretPatternProvider(logger, null);
    var detector = new SecretDetector(logger, patternProvider);
    
    var findings = detector.Scan(request.Content, request.FileName);
    
    return Ok(new
    {
        SecretsFound = findings.Count(),
        Findings = findings
    });
}

Request

{
  "content": "AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE\nAWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  "fileName": "config.env"
}

Notes:

content is required. Empty or missing content returns HTTP 400.

Response

{
  "secretsFound": 2,
  "findings": [
    {
      "ruleId": "SEC001",
      "severity": "Critical",
      "title": "AWS Access Key ID",
      "line": 1,
      "remediation": "Remove hardcoded key. Use environment variables or AWS IAM roles."
    },
    {
      "ruleId": "SEC002",
      "severity": "Critical",
      "title": "AWS Secret Access Key",
      "line": 2,
      "remediation": "Use AWS Secrets Manager or environment variables."
    }
  ]
}

Custom Patterns

Add custom patterns via SecretPatterns.json:

{
  "patterns": [
    {
      "id": "CUSTOM001",
      "name": "My API Key",
      "pattern": "myapp_[a-zA-Z0-9]{32}",
      "severity": "High",
      "description": "MyApp API Key detected",
      "remediation": "Use environment variables instead"
    }
  ]
}

Configure the path:

builder.Services.AddPrimusSecurity(opts =>
{
    opts.DataPath = "/app/security-data";  // Contains SecretPatterns.json
});

Severity Levels

Severity	Examples
Critical	AWS/Azure/GCP credentials, Private keys
High	API tokens, Database passwords
Medium	Generic high-entropy strings
Low	Potential false positives

Next Steps

Want to...	See Guide
Scan dependencies for CVEs	Dependency Scanning
Block builds on secrets	Policy Engine
Generate compliance reports	Enterprise Reporting

How It Works​

Supported Secret Types​

API Usage​

Detect Secrets in Content​

Request​

Response​

Custom Patterns​

Severity Levels​

Next Steps​