Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
ProductsSecret Scanner

Secrets don't hide. Not anymore.

GitHub's scanner only sees your current branch. O3 finds secrets buried in commit history, baked into container layers, leaked into CI env vars — and tells you exactly what each one can access.

Coverage

Three things competitors consistently miss.

Most secret scanners check what's in front of them. O3 checks everywhere a secret could possibly hide — including the places you forgot existed.

Coverage areaO3GitHubGitGuardian
Current branch / HEAD
Full git commit history
~
CI/CD environment variables
~
Container image layers
Blast radius analysis
Live credential verification
~
Org guideline enforcement
~
Full support
Partial
Not supported
Capabilities

Every surface. Every format. Every secret.

Git history deep scan

O3 walks every commit in your repository history — not just HEAD. Secrets that were committed and deleted years ago are still recoverable by anyone with repo access. O3 finds and flags them.

Container layer inspection

Docker images accumulate layers. A secret baked into layer 3 and "removed" in layer 7 is still sitting in the image. O3 decomposes every layer and scans each independently.

CI/CD env var detection

CI runners log more than they should. O3 monitors build logs, pipeline artifacts, and environment variable exports for secrets that leak during build or test execution.

Blast radius mapping

Finding a secret is step one. O3 tells you what it can access — which AWS account, which database, which API. You see the real exposure, not just the string.

Active credential verification

O3 tests whether each detected credential is still active — without triggering rate limits or security alerts. Expired tokens are deprioritized. Live ones are escalated immediately.

Automatic revocation workflow

For supported providers — AWS, GCP, GitHub, Stripe, Twilio, and more — O3 can trigger revocation automatically and notify the owner, closing the exposure window in minutes.

Blast radius

Found a secret. Now what?

Knowing a secret exists is only useful if you understand what it can reach. O3 doesn't hand you a string and walk away — it maps the full access scope of every credential it finds.

An AWS key buried in a 2021 git commit might still grant S3 read access to your production bucket. An old Stripe secret might still process live charges. O3 tells you before an attacker does.

Is the credential still active?
What services and data can it access?
Is it scoped to prod, staging, or both?
Has it been used in the last 30 days?
Live credential detected
found in commit a3f912b · 14 months ago
AWS Access Key
AKIA4EXAMPLESECRETKEY
STILL ACTIVELast used: 3 days ago
Access scope
S3
PRODUCTIONcritical
RDS
PRODUCTIONhigh
IAM
GLOBALcritical
CloudWatch
STAGINGmedium

No secret leaves your codebase undetected.

Book a demo and see O3 surface leaked credentials, API keys, and sensitive data across every commit.

FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • GitHub's secret scanning watches your default branch and open pull requests. It doesn't walk full commit history, doesn't inspect container image layers, and doesn't monitor CI/CD environment variable logs. A secret committed to a feature branch two years ago, deleted in the next commit, is invisible to GitHub, but it's still in the git object store and accessible to anyone who clones the repo.
  • Blast radius analysis answers the question: if this secret is in the wrong hands right now, what can the attacker actually do? O3 attempts to verify whether the credential is still active and then maps which services, accounts, and data it can reach. An expired token has a blast radius of zero. A live AWS key with broad IAM permissions might expose every S3 bucket in your account. Knowing the difference determines your response urgency.
  • Docker images are built as a stack of filesystem layers. A secret added in an early layer and then deleted in a later layer is still present in the image's layer history, any tool that unpacks the full image manifest can read it. O3 decomposes every layer independently and scans each filesystem snapshot for credentials, regardless of whether those files appear in the final image.
  • For supported providers, including AWS, GCP, GitHub tokens, Stripe, Twilio, and several others. O3 can trigger credential revocation automatically once a live secret is confirmed. The credential owner is notified, the token is invalidated, and the incident is logged with a timestamp. For providers without API-driven revocation, O3 generates a step-by-step remediation playbook.
  • Yes. CI runners frequently log more than intended, environment variable values appear in debug output, test runners echo configuration, and build steps print raw request headers. O3 monitors build logs and pipeline artifacts for secret patterns. It also audits which environment variables are registered in your CI provider and flags those that match known credential formats, whether or not they've appeared in logs.
  • O3 scans the entire reachable git history of your repository, every commit, every branch, every tag. There is no configurable cutoff by default, because attackers don't have one either. On very large repositories with tens of thousands of commits, you can narrow the scan window by branch or date range, but the default is complete history.