Skip to main content

Generic secrets AI

Like Semgrep Secrets, which scans for specific secrets, generic secrets AI scans your code for the inadvertent inclusion of credentials, such as API keys, passwords, and access tokens using rules. However, AI-powered generic secrets detection looks for common keywords, such as auth, key, or passwords, and flags anything nearby that appears to be a secret. It then analyzes the results to eliminate false positives, so you only see high-signal results likely to be true positives.

Prerequisites

To scan your code for generic secrets, you must have the following:

Generic secrets does not work with local scans initiated by running the semgrep ci command, because Semgrep Assistant requires code access.

Enable generic secrets

  1. Sign in to Semgrep AppSec Platform.
  2. Go to Settings > Deployment and navigate to the Secrets section.
  3. Click the Generic secrets toggle to turn on generic secrets.

Once you have enabled generic secrets, your subsequent Semgrep Secrets scans automatically run with generic secrets rules. You can confirm that this is the case by looking for the following confirmation message in the CLI output:

SECRETS RULES
-------------
AI augmented rules are active for secrets detection.

If there are findings, Semgrep returns the following CLI message:

Your deployment has generic secrets enabled. X potential line locations
will be uploaded to the Semgrep platform and then analyzed by Semgrep Assistant.
Any findings that appear actionable will be available in the Semgrep Platform.
You can view the secrets analyzed by Assistant at URL

View findings

  1. Sign in to Semgrep AppSec Platform.
  2. Go to Secrets to see a list of all findings identified by Semgrep Secrets.
  3. Filter for generic secrets findings by setting the Secret type filter to Generic Secret (AI).

Generic secrets findings in Semgrep AppSec Platform Figure. Generic secrets findings in Semgrep AppSec Platform.

Disable generic secrets

  1. Sign in to Semgrep AppSec Platform.
  2. Go to Settings > Deployment and navigate to the Secrets section.
  3. Click the Generic secrets toggle to turn off generic secrets.

Once disabled, all of your generic secrets findings will be removed from Semgrep AppSec Platform after the following scan.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.