View Secret Findings

Secret findings appear in the Secrets tab of your Radar project. Each finding represents a detected credential or sensitive value in your codebase, with details on the secret type, severity, location, and remediation guidance.

Unlike SAST and SCA findings, secret remediation requires rotating and revoking credentials at the provider level, not just fixing code. The Secrets tab provides a dedicated view for this distinct workflow.

ByteHide Radar Secrets tab showing 112 total detections with severity breakdown of 4 critical, 42 high, 65 medium, and 1 low, findings table with DatadogToken, MongoDB, CloudflareGlobalApiKey, and Squareup secrets showing fingerprint, title, severity, status, location, and last seen columnsClick to expand

Accessing Secret Findings

  1. Open your Radar project from the ByteHide dashboard
  2. Click the Secrets tab in the project navigation
  3. The findings table displays all detected secrets from the most recent scan

If no findings appear, either your code has no detected secrets or a scan has not yet completed. Use Scan Project to trigger a manual scan.

Findings Table Columns

ColumnDescription
FingerprintUnique tracking ID. Remains consistent across scans for deduplication
TitleSecret type and context (e.g., "Hardcoded Stripe Secret Key detected"). Click to open the detail panel
SeverityImpact level based on credential type: Critical, High, Medium, or Low
StatusOpen (needs remediation), Fixed (no longer detected), Ignored (accepted risk), False Positive (not an actual secret)
LocationFile path and line number with a direct link to the file in your GitHub repository
Last SeenTimestamp of the most recent scan that detected this secret
AutoFixWhether automated remediation is available. Replaces hardcoded values with environment variable references or ByteHide Secrets SDK calls

Filtering Findings

The Secrets tab provides Status and Severity filters:

  • Status: Open (default view), Fixed, Ignored, False Positive
  • Severity: Critical, High, Medium, Low

Simplified Filters

Secret findings use simpler filters than SAST findings. Since all hardcoded credentials map to CWE-798, there are no CWE or OWASP category filters. Severity and status are the primary dimensions.

Secret Severity Levels

LevelCriteriaExamples
CriticalAdmin or unrestricted access to production systems. Full system compromise, data breach, or significant financial impactAWS root keys, RSA/SSH private keys, JWT signing secrets, database superuser credentials, Stripe live-mode secret keys
HighSignificant access to production services or sensitive data. Data exposure, service disruption, or unauthorized actionsLimited database credentials, restricted cloud credentials, OAuth client secrets, CI/CD deployment tokens
MediumNon-production environments, monitoring services, or limited blast radiusStaging credentials, Datadog/New Relic/Sentry keys, webhook URLs, rate-limited API keys
LowMinimal risk, flagged for awareness and best practice complianceTest API keys, expired tokens, public keys found alongside private key patterns, example credentials in docs

Finding Detail

Click any finding to open the detail panel.

ByteHide Radar secret finding detail showing DatadogToken secret detected with 75% High confidence score, CWE-798 and OWASP A02:2021 badges, AI Explanation link, Create PR to fix button, description, file location with GitHub link, code snippet with partially masked credential values, and rotation recommendationClick to expand

TabContent
GeneralSecret type, CWE-798 and OWASP A02:2021 classification, file location with line/column, code snippet (value partially masked), confidence score, and rotation recommendation
AI ExplanationPlain-language explanation of why the string was identified, access risks, step-by-step remediation instructions specific to the credential type, and links to provider documentation for rotation
Autofix With AIGenerate a pull request that replaces the hardcoded value with an environment variable reference or a ByteHide Secrets SDK call. See AutoFix
ActivityHistory of status changes, scans, and team actions on this finding

Protect Secret Values

Never share or screenshot the full value of a detected secret. Radar partially masks credentials in the UI. Use the fingerprint identifier when referencing findings.

Bulk Actions

Select multiple findings using the checkboxes to apply status changes (Ignored, False Positive) with a shared justification. Bulk actions are logged in the project audit trail.

Next Steps

Triage and Remediation

The workflow for rotating, revoking, and remediating detected secrets.

Supported Secret Types

Complete list of credential types and patterns detected by Radar.

Custom Detection Rules

Define organization-specific patterns for internal credentials.

Previous
Supported Secret Types
Next
Triage and Remediation