Secrets detection
Keep hardcoded credentials, passwords, and secrets out of your codebase
Hardcoded secrets in source code (API keys, database passwords, private keys) are one of the most common and dangerous security gaps. DeepSource scans every commit for leaked credentials and flags them before they reach production.
How it works
DeepSource uses a hybrid detection engine that combines pattern matching with AI-powered classification. Regex-based rules scan every commit to identify candidate secrets fast. Then Narada, an open-source classification model, analyzes each match in context — distinguishing real credentials from test values, examples, and placeholders.
This hybrid approach eliminates the noise that makes regex-only scanners unusable:
- 93% fewer false positives: from 222 down to 16 in benchmarks
- 97% precision: when it flags something, it's almost certainly a real secret
- 96.3% recall: real secrets don't slip through the cracks
What it detects
DeepSource identifies a wide range of secret types across your codebase:
- AWS credentials and access keys
- API tokens and keys
- Database connection strings and passwords
- Private keys (SSH, PGP, TLS)
- Authentication and session tokens
- Service account credentials
- And more
Getting started
The hybrid secrets detection engine is enabled by default for all new teams.
If your team was created before the hybrid engine launched, you can switch to it in Settings → General → Preferences.
Once enabled, secrets detection runs automatically on every commit. No additional configuration needed.