Skip to main content
Turen’s 15 secret detection rules prevent API keys, credentials, and sensitive files from being exposed in AI agent conversations.

Where to Find These Rules

Go to Agentic Security > Agent Security (/security/prompt) and select the Secrets tab. You can filter rules by severity or status using the FilterSearch bar.

What’s Detected

API Keys and Tokens

RuleWhat It Detects
SEC-02AWS Access Keys (AKIA) and temporary STS keys (ASIA)
SEC-03GitHub Personal Access Tokens (classic format)
SEC-04GitHub Fine-grained Personal Access Tokens
SEC-05Stripe API secret keys
SEC-06JSON Web Tokens (JWT)
SEC-07Google API keys
SEC-08GitLab personal access tokens
SEC-09Slack API tokens
SEC-10Heroku API keys
SEC-11Generic API key patterns in environment variables
SEC-14AWS IAM resource identifiers
SEC-15AWS context-specific credentials and STS bearer tokens

Private Keys and Certificates

RuleWhat It Detects
SEC-01PEM-encoded private keys
SEC-13OpenSSH format private keys

Connection Strings

RuleWhat It Detects
SEC-12Database connection strings with embedded credentials

How It Works

Secret detection runs as Claude Code hooks on both requests (what’s sent to the LLM) and responses (what the agent outputs). This two-way scanning catches:
  1. Secrets in tool output — If Claude Code reads a file containing API keys, the secret pattern is detected and flagged
  2. Secrets in responses — If the agent attempts to include credentials in its output, they are caught
When a secret is detected, the rule blocks or warns depending on severity, and logs a security event.

Advanced Settings

From Agentic Security > Security Settings (/security/settings), expand the Secret Detection Settings section to configure:
SettingDefaultDescription
Pattern DetectionOnMatch known secret formats (API keys, tokens, etc.)
Entropy DetectionOnFlag high-entropy strings that may be secrets
Entropy Threshold3.75Minimum bits of entropy to flag a string
Minimum Token Length24Only check strings longer than this
You can also toggle the entire secret detection module on or off from the Detection Modules section.

Example

Developer: "Read the production config and help me debug the connection issue"

Claude reads config.yaml containing:
  database_url: post*****************t_p@ss@prod-db:5432/myapp

BLOCKED: Database credential detected
   Rule: SEC-12 (High)

Tuning

If your workflow triggers false positives:
  • Disable individual rules — Click the rule row in the Secrets tab to toggle it off
  • Adjust entropy settings — Raise the entropy threshold or minimum token length to reduce noise
  • Create custom rules — Add patterns specific to your organization’s credential formats
See Custom Rules for instructions.