> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turen.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Detection

> Prevent credentials from leaking through AI agent conversations

Turen's 15 secret detection rules prevent API keys, credentials, and sensitive files from being exposed in AI agent conversations.

## Where to Find These Rules

Go to **Agentic Security > Agent Security** (`/security/prompt`) and select the **Secrets** tab. You can filter rules by severity or status using the FilterSearch bar.

## What's Detected

### API Keys and Tokens

| Rule   | What It Detects                                        |
| ------ | ------------------------------------------------------ |
| SEC-02 | AWS Access Keys (AKIA) and temporary STS keys (ASIA)   |
| SEC-03 | GitHub Personal Access Tokens (classic format)         |
| SEC-04 | GitHub Fine-grained Personal Access Tokens             |
| SEC-05 | Stripe API secret keys                                 |
| SEC-06 | JSON Web Tokens (JWT)                                  |
| SEC-07 | Google API keys                                        |
| SEC-08 | GitLab personal access tokens                          |
| SEC-09 | Slack API tokens                                       |
| SEC-10 | Heroku API keys                                        |
| SEC-11 | Generic API key patterns in environment variables      |
| SEC-14 | AWS IAM resource identifiers                           |
| SEC-15 | AWS context-specific credentials and STS bearer tokens |

### Private Keys and Certificates

| Rule   | What It Detects             |
| ------ | --------------------------- |
| SEC-01 | PEM-encoded private keys    |
| SEC-13 | OpenSSH format private keys |

### Connection Strings

| Rule   | What It Detects                                       |
| ------ | ----------------------------------------------------- |
| SEC-12 | Database connection strings with embedded credentials |

## How It Works

Secret detection runs as Claude Code hooks on both **requests** (what's sent to the LLM) and **responses** (what the agent outputs). This two-way scanning catches:

1. **Secrets in tool output**: If Claude Code reads a file containing API keys, the secret pattern is detected and flagged
2. **Secrets in responses**: If the agent attempts to include credentials in its output, they are caught

When a secret is detected, the rule blocks or warns depending on severity, and logs a security event.

## Advanced Settings

From **Agentic Security > Security Settings** (`/security/settings`), expand the **Secret Detection Settings** section to configure:

| Setting                  | Default | Description                                         |
| ------------------------ | ------- | --------------------------------------------------- |
| **Pattern Detection**    | On      | Match known secret formats (API keys, tokens, etc.) |
| **Entropy Detection**    | On      | Flag high-entropy strings that may be secrets       |
| **Entropy Threshold**    | 3.75    | Minimum bits of entropy to flag a string            |
| **Minimum Token Length** | 24      | Only check strings longer than this                 |

You can also toggle the entire secret detection module on or off from the **Detection Modules** section.

## Example

```text theme={null}
Developer: "Read the production config and help me debug the connection issue"

Claude reads config.yaml containing:
  database_url: post*****************t_p@ss@prod-db:5432/myapp

BLOCKED: Database credential detected
   Rule: SEC-12 (High)
```

## Tuning

If your workflow triggers false positives:

* **Disable individual rules**: Click the rule row in the Secrets tab to toggle it off
* **Adjust entropy settings**: Raise the entropy threshold or minimum token length to reduce noise
* **Create custom rules**: Add patterns specific to your organization's credential formats

See [Custom Rules](/security-rules/custom-rules) for instructions.
