KORTHEXkorthex.flowence.cc

Crypto Vulnerability Scanner / Secrets

Hardcoded Keys and Secrets Scanner (SAST)

Korthex performs credential scanning across source code in 18 languages, configuration files and the entire git history: hardcoded cryptographic keys, API tokens, passwords and private keys, including secrets that were committed once and later removed. Taint classification shows where every key originates, and dataflow across 16 import hops separates real leaks from test fixtures.

What it finds

  • Hardcoded symmetric keys and private keys in source and configuration
  • API tokens and cloud credentials committed to the repository
  • Passwords and connection strings in configuration files
  • Private keys and certificates checked into version control
  • Secrets in git history: removed from HEAD, still recoverable from every clone
  • Key material assembled across files, followed through up to 16 import hops

Why git history matters

A secret that was committed and later deleted is not gone: it lives in every clone, every fork and every backup of the repository. Deleting the line changes nothing about the exposure; rotation is the only fix. Korthex scans the full history and flags historical leaks separately, so you know exactly which credentials to rotate instead of guessing.

Fewer false positives than pure pattern scanners

Pattern-only secret scanners are fast and broad, and they drown teams in test fixtures and dummy keys. Korthex adds provenance: taint classification records where a key originates (a literal in code, a config file, an environment variable, a secret store), and dataflow decides whether it reaches real cryptographic use. A dummy key in a test fixture gets a different verdict than a production credential, and the verdict is attached to the finding.

From finding to fix

Findings map to the practical fix: move the secret to environment or a secret store, rotate what leaked, and let the CI/CD gate fail any pull request that introduces a new hardcoded credential. Secrets findings live in the same CBOM as the rest of your cryptography, with severity, compliance mapping and file:line evidence.

Frequently asked questions

How is this different from dedicated secret scanners like gitleaks or truffleHog?

Those are good, fast open-source secret scanners built on patterns and entropy. Korthex integrates secrets into a full cryptographic inventory: taint-classified provenance for every key, dataflow to real usage, a verdict that separates fixtures from leaks, and the same CBOM, compliance mapping and migration plan as every other cryptographic finding.

Does it scan the entire git history?

Yes. Credential scanning covers source, configuration and git history, so secrets that were committed and later removed are still found and flagged for rotation.

What should I do after a secret is found?

Rotate the credential first: history means it already leaked to every clone. Then move it to an environment variable or secret store, and enable the CI gate so the next hardcoded secret fails the pull request instead of landing.

Does the scanner send my code or secrets anywhere?

No. Korthex runs 100% on-premise, including air-gapped. Only anonymized metadata is transmitted for the optional dashboard report.

Which compliance requirements does this serve?

Hardcoded credentials violate key-management requirements across frameworks: PCI DSS 3.6 / 8.3.2, ISO 27001 A.8.24, BSI CON.1 and NIST guidance. Each finding carries its mapping in the CBOM.