← All modules
security

Plaintext Secrets

Live

Polyglot source code scanner that detects hardcoded secrets across projects.

event.type === "secret:detected" observe/modules/plaintext-secrets
Overview

What Plaintext Secrets does

Plaintext Secrets scans source trees for hardcoded credentials and records findings without storing the secret value itself. It keeps enough metadata to triage: file path, line number, detector, severity, fingerprint, and false-positive state.

The user-facing Secrets module remains a coming-soon product name while this implementation module provides the scanner and findings table that Observe can render today.

Wire payload

Same shape, three syntaxes

The wire protocol is plain HTTP, plain JSON, HMAC-SHA256. The TypeScript tab uses the SDK; the cURL tab is the raw HTTP equivalent; the Python tab shows the preview SDK shape.

import { createCuittyClient } from "@cuitty/sdk";

const cuitty = createCuittyClient({
  observeUrl: "https://observe.cuitty.com",
  projectId: process.env.CUITTY_PROJECT_ID!,
  apiKey: process.env.CUITTY_API_KEY!,
});
cuitty.start();

await cuitty.emit({
  type: "secret:detected",
  timestamp: new Date().toISOString(),
  data: {
    file: "src/config.ts",
    line: 42,
    detector: "aws-access-key",
    severity: "high",
    fingerprint: "sha256:...",
  },
});
Storage

Database schema

Excerpt from observe/modules/plaintext-secrets/schema.sql. One libSQL file per module — back it up with cp.

CREATE TABLE IF NOT EXISTS plaintext_secret_findings (
  id TEXT PRIMARY KEY,
  file_path TEXT NOT NULL,
  line_number INTEGER,
  detector TEXT NOT NULL,
  severity TEXT NOT NULL,
  fingerprint TEXT NOT NULL,
  false_positive INTEGER DEFAULT 0
);

Related modules