Skip to main content
ONEROXE
Sign In
Leaked Secrets · Dependency CVEs

Repository Secrets & Dependency Scan

Point us at a public GitHub or GitLab repository (or paste your manifests) and we scan for two of the most common supply-chain risks: hard-coded secrets and known-vulnerable dependencies. Secret values are always redacted.

Pro feature

Repo Secrets + SCA is a Pro tool

Specialized scans are part of ONEROXE Pro. Sign in and upgrade to run the repo secrets + sca.

What you'll unlock
  • Hard-coded secrets — provider-specific patterns (AWS, Google, Stripe, etc.) + high-entropy detection
  • Secret redaction — only a masked preview is ever shown or stored
  • Dependency parsing — package.json, requirements.txt, go.mod, Gemfile.lock, composer.json
  • Known-vulnerable dependency correlation against the local CVE mirror
ExampleIllustrative — not your results
View Pro plansSign in

Pro from ₹349/mo ($12/mo).

What this assesses

Hard-coded secrets — provider-specific patterns (AWS, Google, Stripe, etc.) + high-entropy detection
Secret redaction — only a masked preview is ever shown or stored
Dependency parsing — package.json, requirements.txt, go.mod, Gemfile.lock, composer.json
Known-vulnerable dependency correlation against the local CVE mirror
Severity-graded findings with upgrade guidance

How it works

Read-only· reads public manifests / pasted files
  1. We read dependency manifests and lockfiles from a public Git repo URL (or the files you paste) — npm, pip, Cargo, Go, Maven, composer and more.
  2. We scan for hard-coded secrets (shown redacted) and correlate declared dependency versions against known CVEs.
  3. We only read public manifest files — no code is executed and nothing is written back.

What it doesn’t do: It is a shallow manifest-level scan; it does not clone full history or resolve transitive trees the way a build would.

Why it matters

Most breaches that start in code start with a committed credential or an unpatched dependency with a public exploit. Both are cheap to catch automatically and expensive to miss — a single leaked key in Git history can compromise an entire environment.

Frequently asked questions

Do you store my secrets or code?

No. Secret values are redacted to a masked preview inside the scanner before they leave it, and pasted input is processed in-memory for the scan only.

Why did the dependency scan say the CVE mirror is not synced?

Dependency CVE correlation uses a local copy of the NVD database. On hosts where that mirror has not been built yet, the tool tells you it skipped correlation rather than falsely reporting “no vulnerabilities”.

Can it scan a private repo?

This tool reads public repositories (or pasted content). Private-repo and full-history scanning is part of an authenticated engagement.

More specialized scans

Compliance ReportSSL/TLS Deep AuditAPI Security ScanLLM / AI PentestMobile APK ScanWordPress Security ScannerGraphQL Security ScanCloud Bucket Scanner