Docs / Secret Scanner
Secret Scanner
Detect exposed secrets before attackers do. SlickEnv's 53-pattern engine scans files, git history, MCP configs, and AI-generated code — producing a security score from 0 to 100.
Overview
Running slickenv scan without any flags scans your .env file and any git-tracked files in the current directory. Add flags to expand coverage to your entire git history, MCP config files, or AI-generated code.
Basic Usage
$ slickenv scan
→ Scanning .env and tracked files...
✗ STRIPE_SECRET_KEY stripe_live_key (critical) .env:3
⚠ DATABASE_URL postgres://... (high) .env:8
Score: 42/100 — 1 critical, 1 high, 0 mediumFlags
| Flag | Description |
|---|---|
| --files | Scan all files in the current directory (not just .env) |
| --git | Scan git-tracked files only |
| --mcp | Scan MCP config files (mcp.json, .mcp/, .cursor/mcp.json) |
| --ai-generated | Scan files in AI-generated code directories |
| --ci | Exit with code 1 if any critical or high findings — for CI pipelines |
| --fix | Interactive mode to resolve findings one by one |
| --severity | Filter output by severity level: critical, high, medium, info |
Security Score
Each scan produces a score from 0 (many critical issues) to 100 (no findings). Scores are calculated by deducting points per finding weighted by severity:
| Severity | Deduction | Example |
|---|---|---|
| Critical | -30 points | Live Stripe secret key, AWS secret key |
| High | -15 points | GitHub token, database URL with password |
| Medium | -5 points | Test API keys, generic high-entropy strings |
| Info | -1 point | Suspicious patterns worth reviewing |
Pattern Examples
The scanner checks 53 patterns across these categories:
| Pattern | Severity | Matches |
|---|---|---|
| AWS Access Key | Critical | AKIA[0-9A-Z]{16} |
| Stripe Live Key | Critical | sk_live_[0-9a-zA-Z]{24,} |
| GitHub Token | Critical | ghp_[0-9a-zA-Z]{36} |
| OpenAI Key | Critical | sk-[0-9a-zA-Z]{48} |
| Private Key (PEM) | Critical | -----BEGIN.*PRIVATE KEY----- |
| Database URL | High | postgres://user:pass@host |
| JWT Token | Medium | eyJ[0-9a-zA-Z_-]{10,}\.[0-9a-zA-Z_-]{10,} |
| Stripe Test Key | Medium | sk_test_[0-9a-zA-Z]{24,} |
| Anthropic Key | Critical | sk-ant-[0-9a-zA-Z_-]{32,} |
| Generic Secret | Info | secret.*=.*[A-Za-z0-9+/]{20,} |
CI/CD Integration
Use slickenv scan --ci in your pipeline to block deployments when secrets are detected. The command exits with code 1 on any critical or high findings.
# .github/workflows/deploy.yml
- name: Scan for secrets
env:
SLICKENV_TOKEN: ${{ secrets.SLICKENV_TOKEN }}
run: slickenv scan --ci