Hardcoded passwords
Credentials embedded in scripts, notes, configuration files or handover documents.
Source coverage
Secret scanning for Git repositories
Git repositories remain a critical source of exposed secrets. Even if a credential is removed from the latest file version, it may still exist in commit history, branches, forks or archived copies.
Why it matters
This source can quietly accumulate access risk.
Onyxaris helps security teams scan this environment for exposed secrets and prioritize findings based on context and risk.
Common exposure patterns
- Secrets committed by mistake
- CI/CD tokens in pipeline definitions
- Private keys in test assets
- Credentials in old branches
- Secrets removed from HEAD but present in history
- Repository exports copied into file shares
Detection examples
What Onyxaris looks for.
API keys and tokens
Access artifacts for SaaS services, internal applications, automation and CI/CD workflows.
Connection strings
Database or service connection strings with usernames, passwords, hosts and environment hints.
Private keys and certificates
SSH keys, TLS keys, key material and certificates stored in files or archives.
Cloud credentials
Cloud provider access keys, service account credentials and infrastructure secrets.
Sensitive config files
.env, .ini, .yaml, .json, .xml and application configuration files.
Outcome
Move from unknown exposure to prioritized cleanup.
Build a risk-based view of where secrets exist, which locations matter, and what teams should fix first.
| Finding | Context that helps | Typical action |
|---|---|---|
| Password in script | Path, owner hints, source and age | Rotate and replace with managed secret |
| API key in document | Document location and sharing state | Revoke, rotate and remove |
| Private key in archive | Nested path and recurrence | Replace keypair and delete copies |
| Connection string | Environment hints and database target | Rotate password and restrict access |
Start focused
Scan this source first.
Start with a focused exposure assessment for one high-risk environment, then expand coverage when the process is proven.