WASViking Docs
⌘K
Sentinel agent

wasviking-sentinel secrets

Find leaked secrets on disk and in git history, optionally verify them live, with raw secrets never leaving the host.

wasviking-sentinel secrets runs locally on the host, walks the filesystem and optionally the git history, and reports leaked credentials. The key property: raw secrets never leave the host. Only a SHA-256 hash and a masked preview reach WASViking®.

OWASP coverage: A07 (Identification and Authentication Failures), CWE-798 (Use of Hard-coded Credentials).

What it detects

The detector catalog ships with 32 patterns, including:

Provider What is matched
AWS Access key ID + secret access key pairs, session tokens.
GitHub Personal access tokens (classic and fine-grained), app installation tokens.
GitLab Personal access tokens, runner registration tokens.
Stripe Live and test API keys (sk_live, sk_test).
SendGrid API keys.
Slack Bot tokens, user tokens, webhook URLs.
PagerDuty Service integration keys.
Twilio Account SIDs + auth tokens.
Database Postgres / MySQL / MongoDB / Redis connection URIs with credentials.
Generic RSA / EC / OpenSSH private keys.
Cloud providers GCP service account JSON, Azure connection strings.

The full detector catalog is part of the binary. New detectors land per release.

What it does NOT match

To suppress noise:

  • Test fixtures and well-known dummy values (aws_secret_key_AKIA…EXAMPLE).
  • Documentation placeholders with EXAMPLE, PLACEHOLDER, XXXX.
  • Files in common doc/test paths (/docs/, /__tests__/, *.test.{js,ts,py}).
  • Patterns flagged by the AI classifier as obvious placeholder text.

License check (preflight)

Before any local work, secrets calls the WASViking preflight endpoint to confirm the organization API key is active. This is required even when you are not submitting results.

  • --api-key (or env WASV_API_KEY) is required. Missing or empty refuses with exit 1.
  • The check is POST /api/v1/sentinel/preflight. Any active org API key passes; no specific scope is needed for the preflight itself.
  • Result cached at ~/.wasviking/preflight_cache.json (mode 0600) for 30 minutes by default (TTL from server, clamped 60s..6h).
  • Within TTL, subsequent calls skip the network entirely.
  • If the API is unreachable but a recent successful approval is on disk (within a 24-hour grace window), the run continues. Short WASViking outages do not break customer CI.
  • If the API actively rejects the key (401 / 403), the grace window does not apply. Revoked keys block on the next cache expiration.
  • The cache is keyed by a truncated SHA-256 of the API key, so rotating the key invalidates the cache automatically.

The --submit flag is independent. --api-key is required regardless of whether you submit results.

Basic usage

From the directory containing the source tree:

export WASV_API_KEY="wv_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
wasviking-sentinel secrets --path .

[sentinel] Walking .
[sentinel] Files scanned: 5,142
[sentinel] Secrets detected: 4
[sentinel]   aws_secret_key   src/config/prod.py:18  unverified
[sentinel]   github_pat       scripts/deploy.sh:5    unverified
[sentinel]   stripe_sk_live   src/billing/keys.py:3  unverified
[sentinel]   slack_webhook    src/alerts/post.go:9   unverified

Report artifacts are written into --out (default .).

Live verification

10 detectors support optional live verification. The agent probes the legitimate provider endpoint to check whether the secret is currently valid.

wasviking-sentinel secrets --path . --verify

[sentinel] aws_secret_key   src/config/prod.py:18  VERIFIED LIVE
[sentinel] stripe_sk_live   src/billing/keys.py:3  VERIFIED LIVE
[sentinel] github_pat       scripts/deploy.sh:5    invalid (404 from provider)
[sentinel] slack_webhook    src/alerts/post.go:9   no verifier available

Live verification:

  • Uses read-only provider identity endpoints where possible.
  • Never modifies state on the remote provider.
  • Logs the verifier endpoint in the agent log so an auditor can see exactly what was probed.

Privacy guarantee

The submission payload to WASViking contains:

  • Detector ID and severity.
  • File path and line number.
  • A SHA-256 hash of the raw secret.
  • A masked preview (AKIA••••••••••••••••XYZ7).
  • Live verification result (boolean).

The raw secret is held in memory on the host only long enough to verify it (if requested) and is then discarded. It is never written to any WASViking system.

Git history

wasviking-sentinel secrets --path . --git

--git walks the repository's git history in addition to the working tree. Useful for finding secrets that were committed and then "removed" by a later commit but still live in history. Slower than a working-tree scan; runs against all reachable commits in the local repository.

Submit to your tenant

wasviking-sentinel secrets \
  --path . \
  --submit \
  --api-key "$WASV_API_KEY"

Findings land in the portal under Inventory → Secrets as Findings with category token_exposure or credential_exposure. They feed the Risk Score and the Findings workflow.

Flags reference

Flag Purpose Default
--path Directory to scan, recursive. .
--out Directory to write report artifacts. .
--fail-on Severity threshold: critical, high, medium, low, none. high
--git Also walk the repository git history (slower). false
--verify Call provider identity endpoints to confirm matches are live (read-only). false
--submit POST the matches to the WASViking API after scanning. false
--api WASViking API base URL. Env: WASV_API. https://api.wasviking.com
--api-key Organization API key. Required for every run (preflight). Add the secrets:submit scope on the key if you also use --submit. Env: WASV_API_KEY. (required)
--timeout Max wall-clock time for the secrets pipeline. 10m0s

Exit codes

Exit code Meaning
0 OK. No findings at or above --fail-on.
1 Generic failure (IO, network, parse).
70 Findings at or above the --fail-on threshold.

secrets is itself usable as a CI gate via --fail-on. For the higher- level wrapper that combines secrets + sbom + template-driven scans in a single pass, see wasviking-sentinel ci.

CI integration

See wasviking-sentinel ci for the CI/CD gate wrapper. The standalone secrets subcommand is fine for pipelines that only need this gate.