Secrets

Overview

Heeler provides real-time secret detection and validation to help security teams rapidly identify, validate, and remediate exposed credentials across their software development lifecycle. Unlike traditional secret scanners that rely solely on pattern matching, Heeler combines high-performance scanning, language-aware detection, and active validation to surface only the secrets that truly matter.

Heeler's secret detection is designed to reduce noise, eliminate false positives, and prioritize secrets that represent immediate, exploitable risk.

What Heeler Scans

Heeler continuously analyzes multiple sources to uncover hard-coded credentials, API keys, tokens, and other sensitive data:

• Code repositories

• Git commit histories (including historical exposure)

Supported Source Control Providers

Heeler supports secret detection across the most common enterprise SCM platforms:

• GitHub

• GitLab

• Azure DevOps

• Bitbucket

Language-Aware Secret Detection

Heeler supports 20+ programming languages and understands language-specific syntax and structures. This enables:

• Reduced false positives through contextual parsing

• Improved detection accuracy compared to regex-only tools

• Accurate identification of secrets embedded in configuration files, source code, and scripts

For example, Heeler understands the difference between a string literal in code, a commented-out value, and a configuration key that is actually loaded at runtime—allowing it to ignore dead code while flagging real exposure.

To achieve this at scale, Heeler combines:

• Advanced parsing and regex techniques

• Multi-threaded scanning for high performance

• Deep traversal of repositories, commit history, and artifacts

Heeler leverages more than 700 detection and validation rules, allowing it to identify a broad range of secret types across providers, languages, and usage patterns.

Secret Validation

Heeler uses two complementary forms of validation to determine whether a detected secret represents real, exploitable risk. By combining offline structural validation with active external validation, Heeler dramatically reduces false positives while prioritizing secrets that are truly dangerous.

These layers work together to ensure accuracy, performance, and signal quality at scale.

Many secret scanning tools generate large volumes of findings that are no longer valid or exploitable. Heeler addresses this by actively validating detected secrets to determine whether they are currently active and usable.

This dynamic validation approach allows teams to:

• Focus remediation efforts on real risk

• Eliminate false positives

• Understand which secrets pose an immediate threat

Checksum-Aware Validation

Modern API tokens increasingly include built-in checksums: short internal digests that make each credential self-verifiable. These checksum-based formats are designed to dramatically reduce false positives by allowing tools to confirm whether a token is structurally valid before attempting any live validation.

Heeler supports checksum-aware matching within its detection rules, enabling structural verification of credentials without calling third-party APIs.

For tokens that support checksums, Heeler validates the token’s internal checksum and automatically filters out structurally invalid or fake credentials before any external validation is attempted. This eliminates nearly all false positives at the earliest stage of detection.

Why This Matters

• Offline verification: no API call required

• Industry-aligned: compatible with modern prefix + checksum token designs (for example, newer personal access token formats)

• Lower false positives: invalid tokens are rejected based on structure alone, prior to active validation

Active External Validation

Once a potential secret is detected, Heeler performs external validation checks, which may include:

• Calling cloud service APIs

• Testing database connectivity

• Verifying API tokens against live endpoints

Heeler validates secrets across:

• AWS

• Azure

• Google Cloud

• Any additional supported platforms in use

Heeler identifies cross-cloud and multi-platform risks, providing unified visibility regardless of where secrets live.

Viewing Secrets in Heeler

Inventory

Detected Secrets are displayed in: Security > Secrets

By default, Heeler displays only active (validated) secrets, ensuring teams immediately see the highest-risk findings.

Filtering

The Secrets page includes sub-navigation filters to help narrow and prioritize findings:

Provider

Filter secrets by the associated provider (for example, AWS, Azure, GCP, or other supported services).

Active

Controls which validation states are displayed:

• ✔ (checked) – Show only active (validated) secrets (default)

• – – Show only non-active secrets

• ◯ – Show all secrets (active and non-active)

Repository

Restrict results to a specific repository to focus investigations or remediation efforts.

Secret Attributes

Each entry in the Secrets inventory includes the following details:

Provider

The name of the service or platform associated with the detected secret.

Repository

A hyperlink to the repository where the secret was found.

Confidence

Indicates the reliability of the detection rule:

• High Confidence Highly specific rules that catch fewer but more reliable secrets. These have fewer false positives but may miss some edge cases.

• Medium Confidence Broader rules that detect more potential secrets. These may introduce more false positives but reduce the risk of missed true positives.

With active validation, Heeler eliminates false positives by confirming whether detected secrets are active.

Validated

Displays the validation status of the secret:

• ✔ – Secret is active and validated

• ✖ – Secret is not active

• ? – Validation was skipped. Heeler will skip certain secrets like Canary Tokens at AWS.

Hovering over the icon provides validation context.

File Path

A hyperlink to the exact file path where the secret was detected.

Committer

The name of the committer associated with the secret. In some cases, this may be a non-human identity (NHI), such as GitHub where automation has been used.

Git Command

A ready-to-use Git command that can be run locally to display detailed information about the specific Git object.

Detected

The date and time when Heeler first detected the secret.

Key Benefits

• Real-time detection across repositories, history, and filesystems

• Language-aware scanning with reduced false positives

• Active validation to prioritize real risk

• Unified visibility across cloud and non-cloud providers

• Scales with enterprise environments using high-performance, multi-threaded scanning

Heeler’s approach ensures security teams spend less time triaging noise and more time mitigating the secrets that truly put their organization at risk.