Skip to main content

Secret Scanner Warnings

Secret scanner warnings are a pause point before context leaves the app through clipboard or export.

  1. Read the warning.
  2. Open the file preview.
  3. Decide whether the value is sensitive.
  4. Redact the value if the file is otherwise needed.
  5. Exclude the file if it should not be shared.
  6. Cancel the export if the selection needs more review.
  7. Re-run the scan before copy or export.

False positives

Some hashes, test constants, addresses, and generated identifiers can look like secrets. If you keep them, make that decision intentionally.

Examples that may be harmless after review:

  • obvious fixture values;
  • public test addresses;
  • documented example keys that are not live;
  • hashes or identifiers that are not credentials;
  • local-only placeholders in tests.

Even when a value looks harmless, check surrounding code. A file can contain both fake fixtures and live-looking secrets.

If you are unsure

Do not export the bundle. Remove the flagged file or ask the repository owner through a channel that does not include the secret value.

Copy anyway

If the app exposes Copy anyway, treat it as an explicit risk decision. Use it only when you understand the warning and have confirmed the value is safe to share with the destination LLM tool or workspace.

For client repositories, prefer redaction, exclusion, or cancel unless your review policy explicitly allows the flagged content.

Safe support report

When asking for help, describe the detector type and file category, not the secret value. Do not paste the flagged token, credential, private key, or generated bundle into support email.