guardrails_scan_secrets
Scans text or source code for exposed secrets and credentials to prevent leaks into commits, logs, or LLM context. Detects 8 credential formats including API keys, tokens, and passwords.
Instructions
Scan text or source code for exposed secrets and credentials before they leak into commits, logs, or LLM context.
Detects 8 credential formats: Stripe keys (sk_live/pk_test...), AWS
access key IDs (AKIA...), GitHub personal access tokens (ghp_...),
OpenAI API keys (sk-...), Slack tokens (xox...), JWTs (three-part
eyJ... tokens), hardcoded password literals (password=...), and
generic api_key/secret_key/access_token assignments. Use this before
committing code, pasting logs into tickets, or forwarding text to an
external model. Deterministic regex engine; read-only, never stores
or transmits the scanned content.
Returns a JSON object:
- secrets_detected (bool): true if any credential was found.
- findings (list): one object per credential type found, with
"secret_type" (str, e.g. "aws_access_key", "github_pat", "jwt")
and "count" (int: occurrences). Raw secret values are never
echoed back.
- severity (str): "critical" if anything was found, else "none".
Example: guardrails_scan_secrets(text="AWS_KEY=AKIAIOSFODNN7EXAMPLE")
returns secrets_detected true, severity "critical", with one finding
of secret_type "aws_access_key" (count 1).
Billing note: on the hosted ThinkNEO endpoint this call costs 1 TNC;
this open-source build runs free and offline.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| text | Yes | The text or source code to scan for leaked credentials: code snippets, configuration files, environment dumps, CI logs, or any string that might accidentally contain API keys, tokens, or passwords. Up to 50,000 characters. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |