Decoding and Validating Secrets
Find secrets hidden one encoding layer deep with --decode, and confirm which credentials are actually live with --validate.
Decoding and Validating Secrets
Two opt-in flags sharpen secrets scanning: --decode finds credentials hidden
inside encoded blobs, and --validate confirms which detected credentials are
actually live.
Decoding encoded payloads (--decode)
Secrets are often committed one encoding layer deep — a base64 environment blob, a
hex string, a URL-encoded value, or a gzipped config. A normal scan sees only the
opaque outer blob and misses the credential inside. --decode decodes those payloads
(base64/hex/url/gzip) and re-runs the secret rules over the decoded content:
xgrep --decode --category secrets .
xgrep --history --decode --category secrets . # combine with history scanningEach decoded finding records its decode chain in metadata.decoded-from (e.g.
base64 > gzip). It's opt-in and hermetic — off by default, and decoding is a
local, deterministic transform with no network. See the
CLI reference for details.
Validating live secrets (--validate)
Detection finds strings that look like credentials; --validate confirms whether
one is actually live by probing its provider, then raises a confirmed finding to
full severity while leaving revoked/invalid ones low:
xgrep --validate --category secrets .It is opt-in and off by default — the one mode that makes outbound network
calls. The candidate is sent only to that provider's fixed endpoint, and is never
logged or written to disk. Validators currently ship for GitHub, GitLab, Slack, and
Stripe tokens (more to follow). See the
CLI reference for the full
validation_state semantics.
Git history
A secret that was committed and later deleted still lives in the repository's history. Scan the full commit history with --history.
Overview
xgrep is a Software Composition Analysis (SCA) tool — generate a CycloneDX or SPDX SBOM, trace dependency usage offline, and scan your open-source dependencies for known CVEs, across 11 ecosystems.