BenGuardBENGUARD/Docs/Scanners/Secrets Detection
Back to Documentation

Secrets Detection

Detects API keys, passwords, and credentials

API Field: secrets_enabled

Overview

Secrets Detection identifies sensitive credentials that should never be exposed in AI conversations. This includes API keys, passwords, tokens, connection strings, and other authentication secrets that could be exploited if leaked.

What It Detects

  • API keys (OpenAI, AWS, Google, etc.)
  • Passwords and passphrases
  • OAuth tokens and refresh tokens
  • JWT tokens
  • Database connection strings
  • Private keys and certificates
  • Webhook secrets
  • Environment variables with sensitive data

Why It Matters

Exposed secrets can lead to unauthorized access to systems, data breaches, financial losses, and complete compromise of your infrastructure. A single leaked API key can cost thousands in unauthorized usage.

Technical Details

Risk Score Range

0.0 - 1.0 (High risk: > 0.7)

Confidence Level

Typically 0.92 - 0.99

Processing Time

< 40ms per scan

Common Use Cases

Developer assistance toolsCode review automationDevOps chatbotsDocumentation generatorsSupport ticket analysis

Detection Examples

Threat Example #1Risk: 99%
Here's my OpenAI key: sk-proj-abc123def456...

Exposed OpenAI API key - immediate revocation recommended.

Threat Example #2Risk: 98%
AWS_ACCESS_KEY_ID=AKIA1234567890ABCDEF

AWS access key exposed - could lead to cloud infrastructure compromise.

Threat Example #3Risk: 95%
The database password is: MyS3cur3P@ssw0rd!

Plain text password exposure - critical security risk.

API Usage

Enable this scanner in your API request by setting secrets_enabled to true in your API key settings, or include it in your request:

curl -X POST https://benguard.io/api/v1/scan \
  -H "X-API-Key: ben_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "Your user input here"
  }'

The scanner settings are configured per API key in your dashboard under Settings → Scanner Configuration.

Response Format

When this scanner detects a threat, the response will include:

{
  "is_valid": false,
  "status": "threat_detected",
  "risk_score": 0.99,
  "threat_types": ["secrets"],
  "details": {
    "results": [
      {
        "scanner": "secrets",
        "threat_detected": true,
        "risk_score": 0.99,
        "confidence": 0.92,
        "details": {
          "reason": "Exposed OpenAI API key - immediate revocation recommended.",
          "evidence": ["detected pattern in input"]
        }
      }
    ]
  },
  "request_id": "req_abc123"
}

Best Practices

  • Never include secrets in prompts, even for debugging
  • Use secret management systems (Vault, AWS Secrets Manager)
  • Implement automatic secret rotation
  • Scan all inputs before processing
  • Alert security teams on detection

Related Scanners

Consider enabling these related scanners for comprehensive protection:

PII Detection

Scans for personally identifiable information

Code Injection

Identifies SQL injection, XSS, and command injection