Secrets Scan
The secrets scan detects credentials, tokens, private keys, and hardcoded passwords in your source code and Git history. Gerion uses Gitleaks as the detection engine.
Run
gerion secrets-scan [PATH]# Scan the current directorygerion secrets-scan .
# Save results as JSONgerion secrets-scan . --format json --output-file secrets.json
# Send results to the Gerion APIgerion secrets-scan . --api-url $GERION_API_URL --api-key $GERION_API_KEYDetected secret types
Gitleaks includes more than 150 predefined rules:
| Category | Examples |
|---|---|
| Cloud providers | AWS Access Keys, Google Cloud credentials, Azure secrets |
| Repositories & CI/CD | GitHub tokens, GitLab tokens, CircleCI tokens |
| Communication | Slack tokens, Twilio, Mailgun, SendGrid |
| Payments | Stripe keys, PayPal, Square |
| Databases | Connection strings with embedded credentials |
| Cryptography | RSA/EC/SSH private keys, PEM certificates |
| Generic APIs | Bearer tokens, API keys matching common patterns |
Secret redaction
For security, Gerion CLI never sends the full secret to the platform. The value is redacted showing only 30% of the content (start + end):
AWS_ACCESS_KEY_ID: AKIA****[REDACTED]****XAMPLEOptions
| Option | Description |
|---|---|
--format | Output format: json | markdown | sarif |
--output-file | Save results to a file (disables API submission) |
--api-url | Gerion API Gateway URL |
--api-key | M2M API key |
--timeout | Timeout in seconds (default: 180) |
--log-level | debug | info | warning | error |