Secrets scanning

Keep your secrets secret wherever they are

Publicly exposed secrets such as passwords, credentials, API keys, and important tokens are just as easy to overlook as they are easy to leverage in an attack. Secrets scanning is an important component of any code security program and requires coverage across each phase of the development lifecycle.

With its code-to-cloud coverage and developer integrations, Bridgecrew makes it easy to detect secrets that have been exposed and remove them from all files in your repositories and delivery pipelines.

Our approach

Managing access securely and storing secrets is easier said than done

Managing important credentials such as passwords, API keys, and tokens is a responsibility with little to no room for failure. To reduce incidents caused by secrets theft, we help teams focus on these areas and more:

Hardcoded secrets

Hardcoded credentials are easier for developers to use and access but is not a best practice. It’s especially dangerous in matrixed development organizations and within cloud-based repos.

Public exposure

Secrets can often wind up exposed in public repositories in your VCS or registry. Additionally, any secret added directly into CI/CD configuration files may be visible in a VCS or can be exposed in build logs.

Key rotation & revocation

Secrets management tools automate the creation and storage of secrets. But they also cover revocation and rotation, which is especially important in the case of a leak or compromise.

Checklist: Secrets security for cloud-native stacks

Protect your secrets with these actionable tips


Multi-dimensional secrets scanning across the development lifecycle

Many secret scanning tools scan disparately for only one type of secret or at only one phase of the development lifecycle, which can create unwanted noise from false positives or miss secrets altogether.

  • Bridgecrew combines detectors to scan for keywords, regular expressions, and high entropy patterns to analyze thousands of potential detected secrets to surface actionable and real risks.
  • With its code to cloud coverage, Bridgecrew also detects secrets in IaC and container images via developer integrations as well as in Git repositories and running cloud resources.

Detect secrets in build-time

Powered by Checkov, Bridgecrew scans for hard coded secrets in code pre-commit, in your VCS, and in your CI pipeline.

Detect secrets in runtime

Identify exposed secrets in running workloads and cloud resources with built-in Bridgecrew runtime policies.

Start uncovering exposed secrets from code to cloud

Sign up for a free 14-day Bridgecrew trial or get a Prisma Cloud Code Security demo.