Secrets scanning

Last updated: 8 June 2026

The Secrets feature helps you find exposed credentials before attackers do. It is separate from the main scan pipeline and requires its own setup. Secrets scanning is available on the Professional plan only.

What the Secrets feature does

There are two parts to Secrets scanning:

GitHub repository scanning — connects to your GitHub account via a Personal Access Token and searches your repositories for exposed credential values. This includes API keys, database connection strings, private keys, AWS credentials, Stripe tokens, and other secrets that should never appear in code.

Domain exposure scanning — checks publicly accessible paths on your domain for files that commonly contain secrets: .env files, configuration files, database dumps, backup archives, and similar. These are files that should never be publicly reachable but sometimes are due to misconfiguration.

What the main scan already checks

Every Olimpio scan — including the free tier — automatically checks for exposed secret files on your web server as part of the standard vulnerability checks. If your .env file or .git/config is publicly accessible, it will appear as a finding in your scan results without any setup required.

The Secrets feature goes further: it searches inside your GitHub repositories for actual credential values, not just exposed file paths.

How to set it up

  1. Go to the Secrets page in the sidebar
  2. Click Configure
  3. Generate a GitHub Personal Access Token with read access to the repositories you want to scan — no write access is needed
  4. Paste the token into the configuration panel and save
  5. Check the authorisation box confirming you own or have permission to scan the target domain
  6. Click Run exposure scan

How credentials are stored

Your GitHub Personal Access Token is encrypted using Fernet symmetric encryption before being stored. The encryption key lives only in our server environment — never in the database. A database export without the encryption key is unreadable. We never store full secret values found during scanning — only masked versions showing the first and last four characters (for example, sk-a••••••7898).

Key rotation tracker

The rotation tracker lets you record the names of secrets your organisation uses and set a rotation interval. Olimpio will send you a reminder email when a secret is due for rotation.

Important: enter variable names only — never paste actual key values into the tracker. The tracker is for scheduling reminders, not for storing credentials.

What Secrets scanning does not do

  • We do not scan repositories you have not explicitly connected via your GitHub PAT
  • We do not store or transmit full credential values at any point
  • We do not access private repositories beyond what your PAT permissions allow
  • We do not scan internal systems, CI/CD pipelines, or secrets managers