Credential Scan

Weight: 20 · Free tier

💡

Works on any PR

This signal runs on every PR — no test plan required. It analyzes the raw diff for hardcoded secrets regardless of whether a test plan exists.

The Credential Scan signal analyzes the PR diff for hardcoded secrets, API keys, tokens, and other sensitive values. It scans only added lines in the diff — removed lines and context lines are ignored, since removing a secret is a good thing.

Detection Patterns

Vigil uses 10 detection patterns to identify credentials:

  • AWS access keys — strings starting with AKIA
  • AWS secret keys — 40-character base64 strings in AWS contexts
  • GitHub tokens — prefixes ghp_, gho_, ghs_, ghr_
  • Generic API keys — common key assignment patterns
  • JWT tokens — strings starting with eyJ
  • Private keys BEGIN ... PRIVATE KEY blocks
  • Connection strings postgres://, mysql://, mongodb://
  • Basic auth URLs https://user:pass@ patterns
  • Slack tokens — prefixes xoxb-, xoxp-, xoxs-
  • High entropy hex strings — hexadecimal strings of 64+ characters

Redaction

🔒

Secrets are never logged

Matches are redacted in all output. Vigil never logs, displays, or stores the actual secret value. The PR comment will indicate that a credential was found and its type, but the value itself is replaced with a redaction marker.

Scoring

If the diff is clean (no credentials found), the signal scores 100. If any credential is detected, the signal scores 0 — this is a binary pass/fail check. Because the Credential Scan is a deterministic signal, a failure triggers the failure cap, limiting the total confidence score to a maximum of 70. A PR with leaked credentials can never be rated “Safe to merge.”

← PreviousSignalsNext →Coverage Mapper