This release introduces new detectors for Payhere, HubSpot, Birdeye, Datadog, and GitGuardian access tokens, a new Azure SignalR checker, analyzers for Intercom, Notion, and Azure Cosmos DB, plus precision improvements to several existing detectors.

Notable precision improvements (measured on internal benchmarks):

• open_weather_map_token: precision raised from ~2.7% to ~91.7%.
• npm_token: precision raised from ~50.7% to ~99%.
• atlassian_oauth2: significant reduction in false positives.

New Detectors​

• Payhere App Credentials: Add a new detector for Payhere App Credentials with its corresponding checker.
• HubSpot API Key: Add a new detector for Hubspot API Key with its corresponding checker.
• Birdeye API Key: Add a new detector for Birdeye API Key with its corresponding checker.
• Datadog API Credentials: Add a new detector for Datadog API Keys with its corresponding checker.
• Payhere Merchant Secret: Add a new detector for Payhere Merchant Secret.
• GitGuardian Personal Access Token: Add detector and checker for GitGuardian Personal Access Token
• GitGuardian Service Access Token: Add detector and checker for GitGuardian Service Access Token

Detector Updates​

• Azure SignalR Connection String: Add a new checker for Azure SignalR Connection String.
• Jira Basic Auth: Improve jira_basic_auth content whitelist pre-validator pattern.
• Atlassian Oauth2 Keys: Improved precision by restricting the regex pattern.
• npm Token: Improve precision by updating assignment name keywords.
• OpenWeatherMap Token: Improve detector precision.

New Analyzers​

• Intercom Access Token: Add a new analyzer for Intercom Access Token.
• GitGuardian Personal Access Token: Add analyzer for GitGuardian Personal Access Token.
• GitGuardian Service Access Token: Add analyzer for GitGuardian Service Access Token.
• Notion Integration Token: Add a new analyzer for Notion Integration Token.
• Azure Cosmos DB Credentials: Add a new analyzer for Azure Cosmos DB Credentials.

New Detectors and Checkers​

• Paymob API Key: Add a new detector for Paymob API Key.
• Paymob Secret Key: Add a new detector for Paymob Secret Key.

New Detectors​

• ConvertTo-SecureString Password: Add a new detector for ConvertTo-SecureString Password.
• Paymob HMAC Secret: Add a new detector for Paymob HMAC Secret.

New Checkers​

• Kubernetes Docker Secret: Add custom checkers to handle individual secrets stored in the base64-encoded string.
• Generic Private Key: Check whether a PKCS#8 private key is registered with GitLab or GitHub.
• OpenSSH Private Key: Check whether an OpenSSH private key is registered with GitLab or GitHub.
• RSA Private Key: Check whether an RSA private key is registered with GitLab or GitHub.
• Elliptic Curve Private Key: Check whether an EC private key is registered with GitLab or GitHub.

New Analyzers​

• Sentry User Auth Token: Add a new analyzer for Sentry Token.
• Figma Personal Access Token: Add a new analyzer for Figma Personal Access Token.
• Datadog API Credentials: Add a new analyzer for Datadog API credentials.
• Google Cloud Keys: Add a new analyzer for Google Cloud Keys.

Detector Upgrades​

• GitLab Token: Fix false positive matching passwords in user:pass context
• Azure Subscription Key: azure_subscription_key detector no longer mistakenly reports ServiceNow sys ID as secrets.

Checker Upgrades​

• Supabase API Key: Fix checker to correctly return INVALID for revoked keys.

This release introduces 19 new detectors and checkers including Azure, DeepL, Oracle, SAP, and Polar tokens, 4 new analyzers, and improved detection precision and checker reliability across multiple existing secrets.

Notable Detection Changes​

Starting with this release, we'll highlight notable detector changes that may affect your scan results. In this release, all detectors remain stable - you can expect minimal changes to detection accuracy. Future releases with significant changes will be called out here.

New Detectors and Checkers​

• Polar Organization Access Token: Add a detector for Polar Organization Access Token.
• Google Cloud Express API Key: Add a detector for Google Cloud Express API Key
• Microsoft Azure Storage Account Key: Add a new detector for Microsoft Azure Storage Account Key with Account Name.
• Azure Language API Key: Add a new detector for Azure Language API Key.
• Azure IoT Hub Connection String: Add a new detector for Azure IoT Hub Connection String.
• DeepL Free API Keys: Implemented detector for DeepL Free API keys
• DeepL Pro API Keys: Implemented detector for DeepL Pro API keys
• Azure Document Intelligence Key: Add a new detector for Azure Document Intelligence Key.
• Azure Speech Services Key: Add a new detector for Azure Speech Services Key.
• Azure Computer Vision Key: Add a new detector for Azure Computer Vision API Key.
• Azure Text Translation Key: Add a new detector for Azure Text Translation Key.
• Oracle Credentials: Add a new detector for Oracle JDBC credentials.
• GitGuardian Public Monitoring API Key: Add detector for new GitGuardian Public Monitoring API Key format
• GitGuardian Internal Monitoring Key: Add detector for new GitGuardian Internal Monitoring Key format
• SAP AI Core Credentials: Add a new detector for SAP AI Core Credentials.
• Odoo External API Key: Add a new detector for Odoo External API Key.

New Detectors​

• K3s Token: Add a detector for K3s tokens
• Zoho API Key: Add a detector for Zoho API Key
• ServiceNow Generic Password: Add a new detector for passwords in ServiceNow configuration files.

New Analyzers​

• Azure App Configuration Connection String: Add a new analyzer for Azure App Configuration Connection String.
• Google API Key: Add a new analyzer for Google API Key.
• Azure Speech Services Key: Add a new analyzer for Azure Speech Services Key.
• FTP Credentials: Add a new analyzer for FTP credentials.

Detector Upgrades​

• Oracle Credentials: Improve the Oracle JDBC connection string detector by updating the regex.
• AWS IAM STS Keys: Reduce false positives by requiring assignment context for client_secret match
• GitLab incoming mail token: Improve precision by updating the regex pattern.
• Pusher Channels Keys: Remove unneeded CWPV pattern
• Jina API Key: Pin key length according to empirical evidence.

Checker Upgrades​

• SMTP credentials: hard-coded well-known SMTP services parameters
• MongoDB Credentials: Fix false positives by using authenticated operation instead of server_info()
• Langfuse Credentials: Add custom host support for langfuse_credentials checker
• GitLab Agent Kubernetes Token: Add custom host support for gitlab_agent_kubernetes_token checker
• GitLab CI/CD Job Token: Add custom host support for gitlab_ci_cd_job_token checker
• GitLab SCIM Token: Add custom host support for gitlab_scim_token checker
• Microsoft Power Apps Webhook: Return invalid check status for deleted webhooks.
• Jina API Key: Interpret 402 low credit status as a sign of a valid key.
• Snowflake Credentials: Refactor snowflake_uri checker to use Snowflake's REST login endpoint.

Analyzer Upgrades​

• GitLab Token: The gitlab_token analyzer now includes more info about the token, and if available, about the token owner.
• PostgreSQL Credentials: Handle connection timeout errors gracefully with a proper AnalyzerFailed exception

This release introduces 4 new detectors for MiniMax, Retell, Azure Storage Account Key, and curl credentials, along with a 12% scanning speed improvement.

New Detectors and Checkers​

• MiniMax API Key: Added a detector and checker for MiniMax API keys.
• Retell API Key: Added a detector and checker for Retell API keys.
• Microsoft Azure Storage Account Key: Added a detector and checker for Microsoft Azure Storage Account Key with Account Name.

New Detectors​

• Curl Username Password: Added a new detector for curl username and password credentials.

Detector Improvements​

• Azure Container Registry Key: Updated detector to catch more token lengths.
• MongoDB Credentials: Fixed false positives in checker by using authenticated operation instead of server_info().

Engine Enhancements​

• Scanning speed improved by 12% as a result of optimizations to the scanner's internal logic.

Engine Performance​

This new version nearly doubles scanning speed, meaning significantly reduced scan times. Self-hosted customers will also benefit from lower resource consumption.

This release also introduces a significant expansion of detection capabilities with over 20 new detectors, particularly for Azure cloud services and payment platforms, along with new revokers and analyzer upgrades.

New Detectors and Checkers​

• WooCommerce Keys: Added a detector and checker for WooCommerce keys.
• Iyzico API Keys: Added a detector and checker for Iyzico API credentials.
• Mercado Pago OAuth: Added a detector and checker for Mercado Pago OAuth credentials.
• Kie AI API Key: Added a detector and checker for Kie AI API keys.
• Momo Credentials: Added a detector and checker for Momo credentials.
• Bitbucket HTTP Access Token: Added a detector and checker for Bitbucket HTTP access tokens.
• Cartesia API Key: Added a detector and checker for Cartesia API keys.
• PostgreSQL Credentials: Added a detector and checker for PostgreSQL assignment credentials without port.
• MariaDB Credentials: Added a detector and checker for MariaDB assignment credentials without port.
• Azure Event Hub Key: Added a detector and checker for Azure Event Hub keys.
• Azure Container Registry Key: Added a detector and checker for Azure Container Registry keys.
• Coralogix Personal Key: Added a detector and checker for Coralogix Personal keys.
• Coralogix Send-Your-Data Key: Added a detector and checker for Coralogix Send-Your-Data keys.
• Azure Web PubSub Connection String: Added a detector and checker for Azure Web PubSub connection strings.
• Azure Batch Credentials: Added a detector and checker for Azure Batch credentials.
• Azure APIM Gateway Key: Added a detector and checker for Azure APIM Gateway keys.
• Azure IoT Provisioning Connection String: Added a detector and checker for Azure IoT Provisioning connection strings.
• Azure AI Search Key: Added a detector and checker for Azure AI Search keys.
• GitLab CI/CD Job Token: Added a detector and checker for GitLab CI/CD Job tokens.
• Pagar.me API Key: Added a detector and checker for Pagar.me API keys.
• PostHog Personal API Key: Added a detector and checker for PostHog Personal API keys.

New Detectors​

• Yookassa API Key: Added a new detector for Yookassa API keys.
• WireGuard Credentials: Added a new detector for WireGuard credentials.
• Nuclei Private Key: Added a new detector for Nuclei signing keys.
• PostHog Project API Key: Added a new detector for PostHog Project API keys.
• OpenClaw Auth Token: Added a new detector for OpenClaw Auth tokens.

Detector Improvements​

• MongoDB Credentials: Improved the precision of the MongoDB Assignment No Port detector by removing false positives.
• MySQL Credentials: Improved detection precision for MySQL assignment no port by removing false positives.
• Oracle Credentials: Improved the Oracle JDBC connection string detector by increasing the minimum match length for the password.
• Username Password: Improved recall of the password regex.
• Neo4j Credentials: Fixed catastrophic backtracking when matching host.
• Generic High Entropy Secret: The detector now catches secrets assigned to variables like SECURITY_KEY.
• Databricks Authentication Token: Added support for optional single digit postfix in Databricks tokens.
• FTP Credentials: Improved recall of the FTP credentials assignment detector.
• Postman API Key: Checker now reports 403 response status code as invalid.
• Cloudflare CA Key: Updated checker to properly report 401 status code as invalid.
• Google API Key: The checker now detects more valid keys.
• Alchemy API Key: Updated deprecated base URL and request parameters in checker.
• LDAP Credentials: Added a connect timeout to the checker.

New Analyzers​

• Anthropic Admin Key: Added a new analyzer for Anthropic Admin keys.
• Azure DevOps PAT With Org: Added a new analyzer for Azure DevOps PAT with Organization.

Analyzer Upgrades​

• PostgreSQL Credentials: The analyzer now properly reports the error message instead of raising an unexpected error upon access denied for database.
• SendGrid Key: The analyzer now properly reports when no scopes are found.

New Revokers​

• SendGrid Key: Added revoker for SendGrid API keys.
• Slack User Token: Added revoker for Slack user tokens.
• Slackbot Token: Added revoker for Slackbot tokens.
• Heroku Platform Key: Added revoker for Heroku platform keys.

This release adds 7 new detectors for AI, cloud, and communication platforms including Modelscope, Deepgram, and ZegoCloud, along with enhanced Azure SAS URL detection.

New Detectors and Checkers​

• Modelscope API Key: Added a detector and checker for Modelscope API keys.
• Proxmox API Token: Added a detector and checker for Proxmox API tokens.
• ZegoCloud Secret: Added a detector and checker for ZegoCloud secrets.
• Deepgram API Key: Added a detector and checker for Deepgram API keys.
• Microsoft Power Apps Webhook: Added a detector and checker for Microsoft Power Apps Webhook URLs.
• Mem0 API Key: Added a detector and checker for Mem0 API keys.

New Detectors​

• Obsidian API Key: Added a new detector for Obsidian API keys.

Detector Improvements​

• Azure SAS URL: Widened the regex to catch more types of Azure SAS URLs.
• Okta OAuth Credentials With Host: Adjusted detector to catch more client secrets.
• Azure Entra Access Token: Fixed a crash that occurred on invalid JWT tokens.
• Azure OpenAI API Key: Improved precision of detector.
• Azure Logic App Sig Key: Deprecated detector as it caused false positives and caught secrets already detected by the Azure SAS URL detector.

Analyzer Upgrades​

• Azure SAS URL: The azure_sas_url checker now verifies the expiration date of SAS tokens.

This release introduces 18+ new detectors covering cloud platforms, databases, and DevOps tools.

New Detectors and Checkers​

• Oracle Credentials: Added a detector and checker for Oracle JDBC connection string.
• Azure Entra App Secret: Added a detector and checker for Azure Entra App Secret.
• Azure Entra Access Token: Added a detector and checker for Azure Entra Access Token.
• GitLab SCIM Token: Added a detector and checker for GitLab SCIM Token.
• GitLab Agent Kubernetes Token: Added a detector and checker for GitLab Agent Kubernetes Token.
• ASI:One API Key: Added a detector and checker for ASI:One API keys.
• Azure IoT Device Connection String: Added a detector and checker for Azure IoT Device Connection String.
• Xendit Secret API Key: Added a detector and checker for Xendit Secret API Key.
• Supabase API Key: Added a detector and checker for Supabase API Key.
• Neoload Web Access Token: Added a detector and checker for Neoload Web Access Token.
• MongoDB Credentials: Added a new detector and checker for MongoDB assignment that does not match port.
• Azure Cache for Redis Access Key: Added a detector and checker for Azure Cache for Redis Access Key.

New Detectors​

• GitLab Feed Token: Added a new detector for GitLab feed token.
• Clerk Webhook Token: Added a new detector for Clerk Webhook Token.
• Better Auth Secret: Added a new detector for Better Auth Secret.
• Elastic Search API Key: Added a new detector for Elastic Search API Key.
• Redis Credentials: Added a new detector for Redis assignment that does not match port.
• Azure Relay Key: Added a new detector for Azure Relay Key.

Detector Improvements​

• Doppler API Key: Improved the Doppler API Key detector by widening the regex.
• Databricks Token With Hostname: Improved the Databricks Token With Hostname detector by adding support for GCP Databricks.
• JetBrains TeamCity Config Value: Fixed crash in detector that can happen with some false positives.
• Scraper API Key: Improved precision of detector.
• Slack Webhook URL: Improved the Slack Webhook URL detector to increase precision and reduce false positives.
• MongoDB Credentials: Enhanced the precision of MongoDB Assignment detector by removing the assignment prefix and adding post validators to ban other databases.
• Okta Keys: Do not match ReCAPTCHA site keys.
• Tailscale Pre-Authentication Key: Upgraded the Tailscale Pre-Authentication Key detector by widening the regex.

Analyzer Upgrades​

• Auth0 Keys: The auth0_keys analyzer now surfaces a wider range of error messages.
• Auth0 Keys: Report 404 status code as invalid for auth0_keys checker.
• Cohere API Key: Updated cohere_apikey checker to call a valid endpoint. The previous endpoint has been deprecated and removed.

This release introduces new detectors for Cloudflare R2 and Azure SAS URL, significant improvements to multiple detectors.

New Detectors and Checkers​

• Cloudflare R2 Token: Added a detector and checker for Cloudflare R2 tokens.
• Azure SAS URL: Added a detector and checker for Azure SAS URLs.
• MySQL Credentials: Added a new MySQL assignment detector that doesn't match ports.

New Checkers​

• Tailscale SCIM Key: Added a new checker for Tailscale SCIM keys.

Detector Improvements​

• SendGrid Key: Updated regex to make it stricter and updated checker endpoint.
• Dwolla Keys: Updated detector to include more values.
• PubNub Publish and Subscription Keys: Updated detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Google OAuth2 Keys: Updated detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Azure Cosmos DB Keys: Updated detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Generic High Entropy Secret: Upgraded detector to remove false positives due to Google Tag Manager.
• HashiCorp Vault Token: Improved detector to not match one-time URLs anymore.
• Discord Webhook URL: Improved detector by widening the webhook_id length restrictions.
• Alchemy API Key: Updated checker endpoint.
• Fireworks AI API Key: Fixed the checker.

Miscellaneous​

• Added support for 378 new secret providers for improved incident prioritization on generic secrets.

This release introduces 6 new detectors with comprehensive coverage for cloud services and databases and support for 883 new secret providers.

New Detectors and Checkers​

• HighLevel Private Integration Token: Added a detector and checker for HighLevel Private Integration Token.
• Elastic API Key: Added a detector and checker for Elastic API keys.
• Google Cloud Keys: Added a detector and checker for Google Cloud Keys in base64 format.
• Socket Dev API Key: Added a detector and checker for Socket Dev API keys.
• Upstash Redis Credentials: Added a detector and checker for Upstash Redis credentials.
• Vapid Key: Added a new detector for Vapid keys.

New Checkers​

• Oracle Credentials: Added a new checker for Oracle credentials.

Detector Improvements​

• Cloudflare API Credentials: Updated checker to work with multiple types of tokens.
• MySQL Credentials: Enhanced recall of MySQL Assignment detector by removing the constraint on the prefix.
• GitLab Token: Updated gitlab_personal_token_v2 to cover new patterns.
• Fireworks AI API Key: Updated detector regex to improve recall.
• JSON Web Token: Fixed detector crashing if the expiration date was set to "inf".
• SSH Credentials: Updated SSH password detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Duo Keys: Updated detector to use an AggregateMatcher instead of explicitly listing multiple matchers.
• Azure Event Grid Access Key: Updated Azure Event Grid Access Key With Host detector to use an AggregateMatcher instead of explicitly listing multiple matchers.

Analyzer Upgrades​

• AWS IAM: Removed aws_iam analyzer as AWS IAM scope analysis is now performed by NHI integration with AWS.

Miscellaneous​

• Added support for 883 new secret providers for improved incident prioritization on generic secrets.

This release adds a new Google Cloud Access Token detector and checker, along with improvements to Hashicorp Vault, PagerDuty, Docker, and FullStory detectors.

New Detectors and Checkers​

• Google Cloud Access Token: Added a new detector and checker for Google Cloud Access Tokens.

Detector Improvements​

• Hashicorp Vault Token: Updated Hashicorp Vault Token detector to catch more types of patterns.
• Google Cloud Access Token: Updated documentation and metadata for Google Cloud Access Tokens detector.
• PagerDuty Authorization Token: Updated regex with token prefix for PagerDuty authorization token detector.

Analyzer Upgrades​

• Docker Credentials: Updated docker_credentials checker endpoint.
• FullStory API Key: Updated fullstory_api_key checker endpoint.

This release introduces 13 new detectors covering AI services (Hume AI, Azure AI Face, AssemblyAI), cloud platforms (AWS Bedrock, Grafbase), and databases (Neon), plus improvements to Kubernetes, Pinecone, and Discord detectors.

New Detectors and Checkers​

• Hume AI API Key: Added a new detector and checker for Hume AI API keys.
• Hume AI Secret Key: Added a new detector and checker for Hume AI Secret keys.
• Azure AI Face Authentication: Added a new detector and checker for Azure AI Face Authentication.
• Neon API Key: Added a new detector and checker for Neon API keys.
• E2B API Key: Added a new detector and checker for E2B API keys.
• MailerSend API Key: Added a new detector and checker for MailerSend API keys.
• Scraper API Key: Added a new detector and checker for Scraper API keys.
• AIProxy API Key: Added a new detector for AIProxy API keys.
• Cloudsmith Entitlement Token: Added a new detector and checker for Cloudsmith Entitlement Tokens.
• AWS Bedrock Long-term API Key: Added a new detector and checker for AWS Bedrock Long-term API keys.
• Harness API Key: Added a new detector and checker for Harness API keys.
• Grafbase Access Token: Added a new detector and checker for Grafbase Access Tokens.
• AssemblyAI Access Token: Added a new detector and checker for AssemblyAI Access Tokens.

Detector Improvements​

• Generic Password: Removed keyword timeout to increase recall.
• Pinecone API Key: Added new detector pinecone_api_key_v2 following the new API key format, with checkers for both v2 and the original format.
• Pinecone API Keys: Deprecated detector, to be replaced by pinecone_api_key detector.
• Keycloak API Keys: Updated provider and company name to Keycloak.
• Discord Bot Token: Updated to match new pattern.
• Kubernetes JWT: Improved performance of Kubernetes JWT detector.
• Tableau Personal Access Token: Improved regex pattern for matching Tableau personal access tokens.
• Sendinblue Key: Updated provider name to Brevo (new company name).

Analyzer Upgrades​

• Snowflake Credentials: The checker for snowpark_api_credentials secrets can now recognize more valid or invalid secrets.
• Kubernetes Cluster Certificate: Changed Kubernetes API endpoint and validated the JSON answer.
• Kubernetes JWT: Changed Kubernetes API endpoint and validated the JSON answer.

This release adds a new Coveo API Key detector, improvements to Resend and DigitalOcean detectors, and fixes proxy support for HTTP checkers.

New Detectors and Checkers​

• Coveo API Key: Added a detector and checker for Coveo API keys.

Detector Improvements​

• Resend API Key: Detector upgrade to remove false positives.

Analyzer Upgrades​

• DigitalOcean Spaces Token: The analyzer now checks for permissions to list buckets.

Engine Enhancements​

• Fixed proxy support for HTTP checkers.

This release introduces new detectors for Comet, Langfuse, and Okta credentials, plus improvements to MySQL and PostgreSQL analyzers.

New Detectors and Checkers​

• Comet API Key: Added a detector and checker for Comet API keys.
• Langfuse Credentials: Added a detector and checker for Langfuse credentials.
• Okta OAuth Credentials with Host: Added a detector and checker for Okta OAuth credentials with host.
• Okta API Token with Host: Added a detector and checker for Okta API tokens with host.

Detector Improvements​

• Generic Password: Detector upgrade to remove false positives in lock files.

Analyzer Upgrades​

• MySQL Credentials: The secret-analyzer now uses pymysql instead of mysql-connector-python for lighter weight implementation.
• PostgreSQL Credentials: Fixed failure in the analyzer when roles have quotes around them.

Miscellaneous​

• Improved GitHub classic analyzer for GitHub Enterprise that was using an old logic.

This release brings a major expansion with 16+ new detectors covering AI services (VirusTotal, Stability AI, Dify, Llama Cloud), cloud platforms (Cloudflare, AWS Cognito, Azure Cosmos DB), and DevOps tools (GitLab, Artifactory, Kubernetes).

New Detectors​

• Virustotal API Key – New detector for VirusTotal API keys.
• Cloudflare Turnstile Secret Key – Added a new detector for Cloudflare Turnstile secret keys.
• Stability AI API Key – Add a detector for Stability AI API Key.
• Azure Cognito OAuth Credentials – Added a new detector for AWS Cognito OAuth credentials.
• Azure Cognito OAuth Credentials with Host – Added detector with host-specific checks and checker.
• Artifactory Access Token – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Basic Auth Credentials – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Reference Token with Host – Allow for dashes in JFrog Artifactory hostnames.
• Artifactory Token with Host – Allow for dashes in JFrog Artifactory hostnames.
• GitLab Feature Flags Client Token with Project ID – Detect Gitlab feature flags tokens and associated project id.
• Kubernetes JWT with Host – New detector for Kubernetes JWT with host.
• GitLab Trigger Token – Add detector for GitLab Trigger Tokens.
• Brave Search API Key – Brave Search API keys.
• GitLab Deploy Token – GitLab deploy tokens.
• Firecrawl API Key – Firecrawl API keys.
• Dify API Key – Dify API keys.
• GitLab Runner Authentication Token – GitLab runner authentication tokens.
• Ubidots API Key – Ubidots API keys.
• Vapi API Key – Vapi API keys.
• Llama Cloud API Key – Llama Cloud API keys.
• Azure Cosmos DB Credentials – Extend host pattern to improve recall.
• GitLab Token – Restrict detector pattern to reduce false positives.
• ODBC Connection String – Improve ODBC connection string precision.

New or Updated Checkers​

• Various new and updated checkers accompany the new detectors, including host-specific and project-id aware checkers, improving verification and reducing false positives. See each detector for the exact checker entries.

This release adds new detectors for Weaviate and Cursor API keys, enhanced Snowflake validation support, and improvements to JWT handling and Google API key validation.

New Detectors​

• Weaviate Token with Hostname – Detects Weaviate tokens associated with specific hostnames.
• Cursor API Key – Adds detection for Cursor Admin & User API keys.

New Checkers​

• Weaviate Token with Hostname – Validity checker for identified tokens.
• Cursor API Key – Validity checker supporting Cursor Admin & User API keys.
• Snowflake Credentials
  • New validity checker for snowflake_uri detector.
  • New validity checker for snowpark_api_credentials detector.

Detector Improvements​

• Company Email + Password – Improved to exclude Zoom meeting details as false positives.
• Generic High Entropy Secret – Now ignores JSON Web Tokens; JWTs are handled by the dedicated json_web_token detector.
• Google API Key – Checker upgrade: Updated googleaiza checker to avoid reporting all secrets as valid.
• Jira Basic Auth – Fixed false positives.

This release introduces new detectors and checkers for various API keys, enhancements to existing detection capabilities, and improvements to documentation and testing processes.

New Detectors​

• Africa's Talking API Key – Africa's Talking provides SMS, voice, and payment APIs for businesses in Africa.
• Clipdrop API Key – Clipdrop offers AI-powered image editing and enhancement tools.
• StackHawk API Key – StackHawk enables automated application security testing for developers.
• Murf API Key – Murf provides AI voice generation and text-to-speech services.

Detector Improvements​

• Stripe Keys – Updated Stripe checker to prevent timeouts during checks.

This release focuses on enhancing the GitLab token detector and improving our CI processes.

Detector Improvements​

• GitLab Token – Detector Upgrade: Broader regex for gitlab_personal_token_v2 to match longer tokens, enhancing detection capabilities for GitLab personal tokens.

This release introduces new detectors for Weights & Biases API keys and Mercado Pago access tokens, along with significant improvements to existing detectors including Azure subscription keys and Bitbucket access tokens.

New Detectors​

• Weights & Biases API Key – Detects API keys for Weights & Biases services.
• Bitbucket App Password – New detector for Bitbucket app passwords to improve recall.
• Mercado Pago Access Token – Detects access tokens for Mercado Pago payment services.

New Checkers​

These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

• Mercado Pago Access Token

Detector Improvements​

• Azure Subscription Key – Improved precision of Azure subscription key detector.
• X AI API Key – Properly report disabled API keys as invalid.
• Bitbucket Access Token – Restricted the detector to detect only Bitbucket repositories access tokens.
• CodeClimate Key – Deprecated CodeClimate key checker.

This release introduces new detectors for GitLab incoming mail tokens, Coze personal access tokens, Tavus API keys, and more. It also includes significant improvements to existing detectors and analyzers, such as those for Zendesk, Sendinblue, and Algolia, enhancing detection accuracy and performance.

New Detectors​

• GitLab Incoming Mail Token – Detects tokens used for GitLab incoming mail.
• Coze Personal Access Token – Detects personal access tokens for Coze services.
• Tavus API Key – Recognizes API keys for Tavus services.
• Heroku Platform Key – Detects prefixed variants of Heroku Platform Keys.
• SSH Credentials – New detector ssh_password_with_port allows matching SSH passwords with ports.
• Tableau Cloud PAT – Detects personal access tokens for Tableau Cloud.
• Notion Integration Token v2 – Detects the new Notion token format.

New Checkers​

These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

• Coze Personal Access Token
• Tavus API Key
• Heroku Platform Key
• Tableau Cloud PAT
• Notion Integration Token v2
• Salesforce OAuth2

Detector Improvements​

• Google OAuth2 Keys – Improved precision for Google OAuth2 detector.
• Zendesk Token – Improved analyzer performance.
• Sendinblue Key – Improved analyzer performance.
• Generic High Entropy Secret – No longer considers IDs in ServiceNow migration files as secrets.
• Algolia Keys – Improved analyzer performance.
• Fastly Personal Token – Improved analyzer performance.
• [Hugging Face User Access] – Improved analyzer performance.

Engine Enhancements​

• All JWT detectors will now only catch signed JWTs, enhancing security.

This release introduces new detectors for AI71 and AMP API tokens, along with significant improvements to existing detectors and analyzers, such as those for GitHub, Slack, and DigitalOcean, enhancing detection accuracy and performance.

New Detectors​

• AI71 API Key – Detects API keys for AI71 services.
• AMP API Token – Recognizes API tokens for AMP services.

New Checkers​

These checkers are implemented to verify the detected secrets, adding another layer of security and ensuring their validity and correct application:

• AI71 API Key
• AMP API Token

Detector Improvements​

• Kubernetes Docker Secret – Enhanced detection for kubernetes.io/dockercfg secrets with more precise regex for JWTs.
• MySQL Assignment – Restricted the maximum number of secrets per document to prevent combinatorial explosion.
• Sourcegraph Token – Updated regex for sourcegraph_access_token_v3 as per customer request.
• GitHub Access Token – Improved GitHub classic analyzer performance.
• HashiCorp Vault Token – Improved precision for HashiCorp Vault token detection.
• Confluent Keys – Updated checker for Confluent API keys.
• GitHub Fine-Grained PAT – Analyzer now handles archived repositories.
• Slack Tokens – Improved SlackBot analyzer performance. Applies to Slackbot, Slack App, and Slack User tokens.
• DigitalOcean Spaces Token – Fixed checker for tokens that do not have permission to list buckets.