JetBrains Probe
The jetbrains probe scans JetBrains IDE (IntelliJ, PyCharm, GoLand, WebStorm, etc.) project configuration files for exposed secrets.
The probe examines JetBrains workspace files and extracts:
- Environment variables from run configurations
- Program arguments from run configurations
These are then scanned by all secret detectors.
.idea/workspace.xml
The probe parses XML workspace files looking for RunManager components.
JetBrains IDEs store run configurations in XML files. Developers frequently put secrets in these configurations for local testing:
- Database connection strings
- API keys for testing
- Service account credentials
- Authentication tokens
| Configuration Type | Common Secrets |
|---|---|
| Environment Variables | API keys, tokens, passwords |
| Program Arguments | Auth tokens, connection strings |
| Database Connections | Passwords, connection URLs |
| HTTP Client | Bearer tokens, API keys |
{
"id": "ai-service-openai-api-key",
"probe": "jetbrains",
"severity": "critical",
"title": "AI Service API Key Detected (OpenAI API Key)",
"message": "An OpenAI API Key was detected in file:/Users/dev/myproject/.idea/workspace.xml.",
"path": "file:/Users/dev/myproject/.idea/workspace.xml",
"metadata": {
"config_name": "Run Server"
}
}
Open your IDE and edit the run configuration:
- Run -> Edit Configurations
- Select the configuration with secrets
- Remove hardcoded values from Environment Variables
Add to .gitignore:
# JetBrains
.idea/workspace.xml
.idea/tasks.xml
.idea/usage.statistics.xml
.idea/dictionaries
.idea/shelf
# Or exclude entire .idea folder (lose shared settings)
# .idea/
Never commit workspace.xml:
.idea/workspace.xmlUse run configuration templates:
- Create shared configs without secrets
- Each developer adds secrets locally
3.Use IDE’s “Store as project file” carefully:
- Check what gets saved before committing
4.Review before commits:
git diff --staged .idea/
- Environment Probe - Checks environment variables
- Shell History Probe - Checks command history