Definition
Secret scanning detects technical artifacts that grant access to systems, applications, infrastructure or data. Unlike broad data classification, it focuses on credentials and access material.
What counts as a secret?
- Passwords and passphrases
- API keys and personal access tokens
- OAuth tokens and session tokens
- SSH and TLS private keys
- Database connection strings
- Cloud access keys and service account credentials
Where secrets hide
Secrets often appear in repositories, but also in network shares, SharePoint libraries, OneDrive folders, archives, runbooks, exported configs and troubleshooting notes.
| Location | Typical example |
|---|---|
| Repository | .env committed by mistake |
| Network share | legacy script with password |
| SharePoint | deployment note with connection string |
| OneDrive | synced config export |
| Archive | release ZIP containing private key |
What happens after detection?
Good secret scanning should lead to action: confirm the finding, identify the owner, rotate or revoke the secret, remove exposed copies, document evidence and monitor recurrence.
FAQ
Is secret scanning the same as DLP?
No. DLP is broader and often focuses on regulated or sensitive business data. Secret scanning focuses specifically on credentials and access artifacts.
Should organizations scan outside Git?
Yes. Many credentials are copied into files, docs, archives, backup folders and collaboration platforms that repository-only scanners do not cover.