Basics
Core concepts and overview of Stashbase scans
Scans help you detect hard-coded secrets in your code before they are committed or pushed.
Feedback is welcome! Help us improve these docs by sharing your thoughts and suggestions.
Why use scans
Hard-coded secrets (API keys, credentials, and tokens) can be accidentally pushed and leaked. Scans catch these issues early so you can prevent accidental exposure and reduce security risk.
How scans work
Scans use relevant git changes and related repository context. Those relevant changes are processed by Stashbase API servers to improve detection accuracy, reduce false positives, and better understand the code patterns where secrets are found.
Security
Scans are designed to work on the relevant git changes needed for detection rather than your entire repository history. The relevant git changes sent during a scan are processed by Stashbase API servers as part of the detection workflow.
Scan types
Stashbase supports two main scan workflows:
- CLI scans: Manually triggered from your local repository (often in pre-commit or pre-push hooks)
- Repository scans: Continuous scans running against repository activity
Besides those, we also support text scans which can be used to scan any text content, such as LLM input/output or CI logs, using the same detection engine.
Use these docs next: