Secret Detection
The strip-secrets pass always runs first and uses three detection methods.
Path patterns
Keys matching these patterns are always redacted:
*.password*.secret*.api_key*.credentials*.private_key*.connection_string*.env.*
Regex patterns
Known secret formats:
- AWS access keys (
AKIA...) - Azure connection strings
- PEM private key blocks
- Bearer tokens
- GitHub tokens (
ghp_,gho_,ghs_,ghr_,github_pat_) - Generic credential pairs (
password=...,secret:...)
Shannon entropy
Strings longer than 16 characters with entropy ≥ 4.5 bits are flagged as likely secrets.
Redaction
All detected secrets are replaced with [REDACTED]. Original values are never logged or stored.
Configuration
Via profile pass config:
passes: strip-secrets: secret_paths: - "*.my_custom_secret" entropy_threshold: 4.5 min_entropy_length: 16