Secrets

Decoding and Validating Secrets

Find secrets hidden one encoding layer deep with --decode, and confirm which credentials are actually live with --validate.

Decoding and Validating Secrets

Two opt-in flags sharpen secrets scanning: --decode finds credentials hidden inside encoded blobs, and --validate confirms which detected credentials are actually live.

Decoding encoded payloads (--decode)

Secrets are often committed one encoding layer deep — a base64 environment blob, a hex string, a URL-encoded value, or a gzipped config. A normal scan sees only the opaque outer blob and misses the credential inside. --decode decodes those payloads (base64/hex/url/gzip) and re-runs the secret rules over the decoded content:

xgrep --decode --category secrets .
xgrep --history --decode --category secrets .   # combine with history scanning

Each decoded finding records its decode chain in metadata.decoded-from (e.g. base64 > gzip). It's opt-in and hermetic — off by default, and decoding is a local, deterministic transform with no network. See the CLI reference for details.

Validating live secrets (--validate)

Detection finds strings that look like credentials; --validate confirms whether one is actually live by probing its provider, then raises a confirmed finding to full severity while leaving revoked/invalid ones low:

xgrep --validate --category secrets .

It is opt-in and off by default — the one mode that makes outbound network calls. The candidate is sent only to that provider's fixed endpoint, and is never logged or written to disk. Validators currently ship for GitHub, GitLab, Slack, and Stripe tokens (more to follow). See the CLI reference for the full validation_state semantics.

On this page