Jump to >

Secret Scanner

New in version 3.0.

Secret Scanner is a native tool provided by Review Bot that checks files for hard-coded security credentials, such as API tokens, encryption keys, account identifiers, and URLs.

Note that some secrets have a well-defined format that can be verified, while others have a higher chance of conflicting with various forms of legitimate data.

It is up to the author of a change to verify whether they have leaked a secret, and to revoke that secret on any affected services.

Supported File Types

All files are supported by this tool, and will be checked for secrets.

Supported Secrets

The following types of secrets are checked.

  • AWS Access Keys

  • AWS MWS Keys

  • AWS Secret Keys

  • Asana Access Tokens

  • Discord Bot Tokens

  • Discord WebHook URLs

  • Dropbox Tokens

  • Facebook Access Tokens

  • GitHub OAuth Tokens (legacy format deprecated in April 2021)

  • GitHub OAuth Tokens (modern format introduced in April 2021)

  • Google (GCP) API Keys

  • Google (GCP) Client IDs

  • Google (GCP) Service Accounts

  • Heroku API Keys

  • JSON Web Tokens

  • Mailchimp API Keys

  • Mailgun API Keys

  • NPM Access Tokens

  • PGP Private Keys

  • PyPI API Tokens

  • RSA Private Keys

  • SSH (DSA, EC, and OPENSSH) Private Keys

  • SSL Certificates

  • Slack Tokens

  • Slack WebHook URLs

  • Stripe Access Keys

  • Twilio API Keys

  • Twilio Account SIDs

  • Twitter OAuth Tokens


This tool ships with Review Bot 3.0 and higher. No additional installation is required.


Enabling Secret Scanner in Review Board

You’ll need to add a Review Bot configuration in Review Board (see Tool Configurations).

There are no configuration options available for this tool.