Detectors
Bagel uses detectors to identify exposed secrets in the content scanned by probes. Each detector specializes in a specific type of credential and uses regular expressions and heuristics to minimize false positives.
| Detector | Description | Severity |
|---|---|---|
| GitHub Token | GitHub PATs and app tokens | Critical |
| SSH Private Key | SSH private keys (encrypted/unencrypted) | Critical/Low |
| Cloud Credentials | AWS, GCP, Azure credentials | Critical |
| AI Service | OpenAI, Anthropic, HuggingFace keys | Critical |
| Generic API Key | High-entropy secrets | High |
| HTTP Auth | Bearer tokens, Basic auth, API keys | Critical |
| JWT | JWT and JWE tokens | Critical |
| NPM Token | NPM authentication tokens | Critical |
- Pattern Matching - Each detector uses regex patterns specific to its credential type
- Validation - Additional checks (entropy, format) reduce false positives
- Fingerprinting - Detected secrets are SHA-256 hashed for deduplication without storing actual values
- Context Enrichment - Findings include probe context (file, line number, environment variable name)
| Level | Description |
|---|---|
| Critical | Active credentials that provide direct access to systems |
| High | Likely credentials or high-entropy secrets |
| Medium | Configuration issues that could lead to exposure |
| Low | Informational findings or encrypted credentials |
Bagel reports metadata about secrets, never the actual values:
{
"id": "github-token-classic-pat",
"severity": "critical",
"path": "env:GITHUB_TOKEN",
"metadata": {
"fingerprint": "sha256:a1b2c3..."
}
}
The fingerprint allows you to track and deduplicate findings without exposing the secret.
Detectors include safeguards to reduce false positives:
- Generic API Key - Filters placeholder values and environment variable references
- SSH Keys - Differentiates encrypted from unencrypted keys
- Cloud Credentials - Uses specific prefixes and formats per provider
If you encounter false positives, please open an issue with sanitized examples.
Bagel’s detector system is extensible. See the source code for implementation examples.