Secrets detection
Keep hardcoded credentials, passwords, and secrets out of your codebase
Hardcoded secrets in source code (API keys, database passwords, private keys) frequently lead to breaches when repositories are exposed or shared. DeepSource scans every commit for leaked credentials and flags them before they reach production.
How it works
DeepSource uses a hybrid detection engine that combines pattern matching with AI-powered classification. Regex-based rules scan every commit to identify candidate secrets fast. Then Narada, an open-source classification model, analyzes each match in context — distinguishing real credentials from test values, examples, and placeholders.
This hybrid approach eliminates the noise that makes regex-only scanners unusable:
- 93% fewer false positives: from 222 down to 16 in benchmarks
- 97% precision: when it flags something, it's almost certainly a real secret
- 96.3% recall: real secrets don't slip through the cracks
What it detects
Detected secret types include:
- AWS credentials and access keys
- API tokens and keys
- Database connection strings and passwords
- Private keys (SSH, PGP, TLS)
- Authentication and session tokens
- Service account credentials
- OAuth client secrets and refresh tokens
Getting started
The hybrid secrets detection engine is enabled by default for all new teams.
If your team was created before the hybrid engine launched, you can switch to it in Settings → General → Preferences.
Once enabled, secrets detection runs automatically on every commit. No additional configuration needed.