Skip to main content

Secret Detection

Secret Detection is a security testing practice that scans code repositories for exposed credentials, API keys, tokens, and other sensitive information. Detecting and addressing exposed secrets early helps prevent unauthorized access and security breaches.

With Harness Security Testing Orchestration (STO), you can perform Secret Detection using supported scanners and STO applies its security orchestration features, such as results normalization, deduplication, and formatting findings into actionable insights.

Set up Secret Detection with Harness STO

You can configure secret detection in Harness STO using the supported scanners:

  • Gitleaks – You can either set up Gitleaks manually or use the Built-in Scanner approach, which provides a pre-configured setup for running Gitleaks without additional configuration. Because Gitleaks is open source, running it within Harness STO does not require a paid license. If you choose the Built-in Scanner, STO automatically handles the setup, allowing you to run Secret Detection without manual configuration.

  • The following scanners automatically detect secrets in the code repository when used for SAST or SCA. These findings are categorized under the Secret issue type in the scan results. If your pipeline includes any of these scanners, they are already scanning for secrets in your code repository:

If you need to use a different scanner for Secret Detection, you can explore additional scanners that are compatible with the Custom Scan step. If the Custom Scan step does not support the scanner you need, you can use the Custom Ingestion step to ingest and process your scan results.

Next steps

After running a security scan, you can take the following actions: