Secret Scanning

One should not have secrets lying around in their codebase, but sometimes it happens. To help you avoid this, we have a secret scanning feature that will scan your codebase for secrets and warn you if any are found.

Note

The secret scanning feature is by no means exhaustive and should not be relied upon as the sole method of securing your codebase. It is a best-effort feature that will help you avoid common mistakes.

Supported patterns

By default set of secret patterns are defined at https://github.com/microsoft/genaiscript/tree/main/packages/core/src/config.json.

\is is not a complete list by design, and needs to be updated to match your needs.

You can find examples of patterns at https://github.com/mazen160/secrets-patterns-db/.

Scanning messages

By default, all messages sent to LLMs are scanned and redacted if they contain secrets.

You can disable secret scanning alltogher by setting the secretScanning option to false in your script.

script({
    secretScanning: false,
})

Configuring patterns

If you have a specific pattern that you want to scan for, you can configure it in your configuration file.

genaiscript.config.json

{
    "secretPatterns": {
        ...,
        "my secret pattern": "my-secret-pattern-regex"
    }
}

• do not use ^ or $ in your regex pattern

Disabling patterns

Set the pattern key to null or false to disable it.

genaiscript.config.json

{
    "secretPatterns": {
        "OpenAI API Key": null
    }
}

CLI

You can test your patterns against files using the CLI.

genaiscript parse secrets *