Skip to main content
Iris scans every file for hardcoded credentials using a two-layer detection system. At 10 points deducted per finding, it carries the highest single penalty in the Iris scoring system — a single leaked key can meaningfully drop a file’s health score and trigger enforcement gates before the credential ever reaches your remote.

Layer 1 — suspicious variable names

Iris matches suspicious variable names assigned to string literals. The following names (and their common variants) trigger a finding when assigned to a string value:
  • key
  • token
  • secret
  • password
  • auth
  • credential
  • api

Layer 2 — known credential formats

Iris also matches known credential formats regardless of the variable name they are assigned to:
  • GitHub PATs (ghp_)
  • OpenAI and Stripe keys (sk-)
  • AWS access key IDs (AKIA)
  • Google API keys (AIza)
  • Slack bot tokens (xoxb- / xoxp-)
  • Inline Bearer tokens
Placeholder values (your_key_here, changeme, REPLACE_ME, all-caps templates) are suppressed automatically and do not generate findings. Layer 1 hits also suppress matching Layer 2 hits on the same line to avoid duplicate Problems panel entries.

CLI scanning

Run iris secrets as a standalone scan — it is free and requires no authentication: 
iris secrets
iris secrets --path ./src --json

Configuration

Set "enableSecretsDetection": false in .irisconfig.json to disable detection entirely. To keep detection active but suppress squiggles and Problems panel entries, set inlineDiagnostics.hardcodedSecrets to false instead. 
{
  "enableSecretsDetection": false
}
Run iris secrets as a free CI step even without a Pro licence — it catches leaked credentials on every push regardless of licence status.