API Keys & Tokens

This category focuses on secrets used to authenticate applications and automation.

Typical Examples Include:

API keys for SaaS services (monitoring, email, payments, analytics)
OAuth tokens and refresh tokens
GitHub tokens, CI/CD tokens, service tokens
JWTs and signed tokens (where applicable)
Webhook signing secrets

What DevSecOps Bot detects

DevSecOps Bot detects secrets via pattern matching + context-aware rules. Depending on the token type, it may also apply additional checks (length/charset/structure hints) to reduce false positives.

What You Should Do When Found

When a token is detected, the best response is almost always:

Remove it from code
Rotate it at the source (provider console / secret manager)
Invalidate old credentials
Add prevention (secret manager + CI guardrails)

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

API Keys & Tokens

Typical Examples Include:

What DevSecOps Bot detects

What You Should Do When Found

When a token is detected, the best response is almost always:

SAST Rules

IaC Rules

License Rules

API Keys & Tokens ​

Typical Examples Include: ​

What DevSecOps Bot detects ​

What You Should Do When Found ​

When a token is detected, the best response is almost always: ​

API Keys & Tokens

Typical Examples Include:

What DevSecOps Bot detects

What You Should Do When Found

When a token is detected, the best response is almost always: