Security, Governance & Ops Tool

The Secrets Scan Tool

Scan text, code, or config for secrets — API keys, tokens, passwords — and return each finding so an agent never commits, logs, or sends a credential it shouldn’t.

Explore VDF AI Agents
GuardrailsSafety built into the agent
GovernedPolicy, audit, and cost
AssignableTo every agent you run
100%On-premise capable
The Trust Problem

Autonomy without guardrails is a liability

An agent that can act can also leak PII, expose a secret, exceed permissions, or run up cost — silently. Putting agents in production means baking in detection, redaction, permission checks, and traceability, or the first incident ends the program.

01

Data leakage

PII and secrets slip into prompts, logs, and outputs.

02

Over-permissioned

Agents act beyond what their role should allow.

03

No accountability

Without a trace, you can’t explain what an agent did or why.

04

Runaway cost

Unbounded tool use burns budget with no early warning.

How the Tool Works

Secrets Scan, without the risk

Capability

What it does

Catch leaked keys and credentials.

it scans text, code, or config for secrets such as API keys, tokens, and passwords.

Tool
Secrets Scan

Assignable to any agent

SecretsKeysLocatedOn-prem

How it works

Predictable, inspectable behavior

Designed to be reliable.

scanning uses pattern and entropy heuristics inside your perimeter and returns located findings, so an agent can block a leak before code is committed or content is sent.

Governed
Policy + Audit

Every call logged

ScopedLoggedGovernedOn-prem

Governance

Private, governed, on-premise

Runs inside your perimeter.

These controls run inside your perimeter and feed a single audit trail, so detection, redaction, permission checks, and cost limits are enforced locally — the governance layer that makes agent autonomy defensible to security and compliance.

100%
On-Prem

Per-tenant, logged

On-premRBACAudit logSovereign
Inputs

Parameters

The secrets_scan tool accepts these inputs when an agent calls it. Required inputs are flagged.

Name Type Required Description
content string Required Text, code, or config to scan.
min_entropy number Optional Optional entropy threshold for detecting random-looking secrets.
In depth

How the Secrets Scan tool works in practice

Secrets Scan is a security, governance & ops tool you assign to a VDF AI agent. It scans text, code, or config for secrets such as API keys, tokens, and passwords. Its hallmarks — Secrets, Keys, Located — let an agent rely on it as a dependable step in a larger task rather than a brittle one-off script.

Under the hood, scanning uses pattern and entropy heuristics inside your perimeter and returns located findings, so an agent can block a leak before code is committed or content is sent. It expects content as required input, so calls are explicit and easy to audit. Every call is scoped to the requesting tenant and written to an audit log, so the capability is safe to run inside a regulated, on-premise environment — the same governance model behind every VDF AI tool.

Teams reach for Secrets Scan when they need to handle pre-commit, log safety, and output checks. It rarely works alone — pair it with PII Detection, Repository Security Scan, and Permission Check to build a complete, governed workflow, then compose those steps into an on-premise VDF AI Network.

Where it pays back

Where Secrets Scan pays back

Pre-commit

Block a secret before it lands in a repo.

Log safety

Catch credentials before they’re logged.

Output checks

Ensure an agent isn’t echoing a key.

Audits

Scan config for embedded secrets.

How VDF AI connects it

Assigned to agents, orchestrated as networks

On VDF AI, an industry’s use cases map to agents, and you assign tools like this one to those agents. Compose multiple agents into a governed, on-premise network.

ROI Snapshot

What changes after you assign it

Safer
PII and secrets protected
Accountable
Every action traceable
Controlled
Cost and limits visible
100%
Runs in your environment
FAQ

Questions about the Secrets Scan tool

What is the Secrets Scan tool?

It scans text, code, or config for secrets such as API keys, tokens, and passwords. Assigned to a VDF AI agent, it runs under role-based policy with full audit logging so the capability is safe to use in production.

What secrets does it find?

API keys, tokens, passwords, and high-entropy strings that look like credentials.

How does it fit a coding agent?

Agents run it before committing or opening a PR so a leaked secret never ships.

What inputs does the Secrets Scan tool need?

It requires content, and optionally accepts min_entropy. Each parameter is validated when an agent calls the tool, and the full call is logged for audit.

Which tools pair well with Secrets Scan?

Secrets Scan is commonly assigned alongside PII Detection, Repository Security Scan, and Permission Check. On VDF AI you compose several tools and agents into a single governed, on-premise network.

Does it run on-premise?

Yes. Like every VDF AI tool, it can run on-premise or in your sovereign cloud, scoped per user and audit-logged, so your data never leaves your perimeter.

How do agents use it?

You assign the tool to an agent under a role-based policy; the agent calls it as one step in a task, and several agents and tools can be orchestrated together as a governed VDF AI Network.

Put Secrets Scan to work

See the Secrets Scan tool assigned to an agent and orchestrated in a governed, on-premise network.