Skip to main content
Turen’s 15 secret detection rules prevent API keys, credentials, and sensitive files from being exposed in AI agent conversations.

What’s Detected

API Keys and Tokens

Credentials that could grant unauthorized access:
  • AWS Access Keys and Secret Keys
  • API tokens (GitHub, Slack, Stripe, etc.)
  • OAuth tokens and refresh tokens
  • Service account credentials

Certificates and Private Keys

Cryptographic material that should never appear in conversation:
  • Private SSH keys
  • .pem and .p12 certificate files
  • TLS/SSL private keys
  • Signing keys

Configuration Files

Sensitive configuration that often contains credentials:
  • .env files with embedded secrets
  • Database connection strings with passwords
  • Cloud provider configuration files
  • Docker secrets

System Files

Operating system files that could expose sensitive information:
  • /etc/passwd and /etc/shadow
  • SSH configuration directories
  • System keychain access
  • Credential stores

How It Works

Secret detection runs as Claude Code hooks on both requests (what’s sent to the LLM) and responses (what the agent outputs). This two-way scanning catches:
  1. Secrets in tool output — If Claude Code reads a file containing API keys, the secret pattern is detected and flagged
  2. Secrets in responses — If the agent attempts to include credentials in its output, they are caught
When a secret is detected, the rule blocks or warns depending on severity, and logs a security event.

Example

Developer: "Read the production config and help me debug the connection issue"

Claude reads config.yaml containing:
  database_url: postgres://user:s3cret_p@ss@prod-db:5432/myapp

BLOCKED: Database credential detected
   Rule: SEC-12 (High)

Tuning

If your workflow triggers false positives:
  • Disable individual rules — If a specific detection isn’t relevant to your environment
  • Create custom rules — Add patterns specific to your organization’s credential formats
See Custom Rules for instructions.