Maintenance

Site is under maintenance — quizzes are still available.

Go to quizzes
Sponsored Reserved space — layout preview until AdSense is connected

How to Detect Hardcoded Secrets in Python Source Code

A Python utility that scans source code for common hardcoded secrets like API keys, passwords, tokens, and AWS credentials using regex patterns.

Medium Python 3.9+ Jun 28, 2026 Algorithms & data structures 3 views 0 copies

secrets regex security source-code detection

Python code

28 lines
Python 3.9+
Run it 
import re

def detect_secrets(text):
    """Detect potential hardcoded secrets in source code."""
    patterns = {
        'api_key': r'(?i)(api[_-]?key|apikey)\s*[=:]\s*["\']([^"\']+)["\']',
        'password': r'(?i)(password|passwd)\s*[=:]\s*["\']([^"\']+)["\']',
        'token': r'(?i)(\b(token|secret)\b)\s*[=:]\s*["\']([^"\']+)["\']',
        'aws_key': r'(?i)(aws_access_key_id|aws_secret_access_key)\s*[=:]\s*["\']([^"\']+)["\']'
    }
    findings = []
    for secret_type, pattern in patterns.items():
        for match in re.finditer(pattern, text):
            findings.append((secret_type, match.group(0)))
    return findings

if __name__ == "__main__":
    sample_code = """
    api_key = "sk-abc123def456"
    password = "mysecretpassword"
    token = "ghp_xyz789"
    config = {
        "aws_secret_access_key": "AKIAIOSFODNN7EXAMPLE"
    }
    """
    results = detect_secrets(sample_code)
    for secret_type, value in results:
        print(f"Found {secret_type}: {value}")

Output

stdout 
Found api_key: api_key = "sk-abc123def456"
Found password: password = "mysecretpassword"
Found token: token = "ghp_xyz789"
Found aws_key: "aws_secret_access_key": "AKIAIOSFODNN7EXAMPLE"

How it works

The function uses regular expressions to find patterns that match typical secret assignments like api_key = or password:. Each pattern captures the entire assignment string so you can review the context. The re.finditer method returns all matches in the input text, making it easy to collect every hit. The script loops through a dictionary of patterns, making it simple to add new secret types without changing the core logic.

Common mistakes

  • Using a single regex that misses variations like `API_Key` vs `api-key`
  • Forgetting to handle multiline assignments or inline dictionary values
  • Not escaping quotes or special characters properly in the regex pattern
  • Relying solely on regex without additional entropy checks (leads to false positives)

Variations

  1. Use the `re` module with a compiled pattern and `pattern.finditer()` for slightly better performance on large codebases
  2. Extend the detection to include commented-out secrets by removing comment lines first

Real-world use cases

  • Running on every pull request commit to catch secrets before they reach a remote repository.
  • Integrating into CI/CD pipelines to block builds that contain hardcoded credentials.
  • Scanning legacy repositories to inventory and remediate exposed secrets during security audits.

Sponsored

Sponsored Reserved space — layout preview until AdSense is connected

Run this sample

Open the browser IDE to tweak the example and see results without installing anything.

Open editor

Keep learning

Related tutorials and quizzes for this topic.

Tutorials

Quizzes