Secrets Detection Accuracy Benchmark
Secrets detection benchmarks measure how accurately tools find leaked credentials in code and git history, reporting recall, precision, false-positive rate, and verified-secret rate by type. Balancing recall against precision and scanning full history are key.
Secrets detection accuracy benchmarks evaluate how well tools find hard-coded credentials, API keys, tokens, and certificates committed to source code, configuration, and version-control history. Leaked secrets are a leading cause of breaches, and a single exposed key can compromise an entire system. These benchmarks measure whether scanners reliably catch real secrets without drowning developers in false alarms.
The challenge is signal quality: secrets resemble ordinary high-entropy strings, so naive detection floods teams with noise while missing cleverly hidden credentials.
What It Measures
Core metrics are recall (real secrets found divided by all real secrets present), precision (true secrets divided by all alerts), false-positive rate, and verified-secret rate (share of findings confirmed live by validating them against the issuing service). Results are broken down by secret type (cloud keys, database URLs, private keys, OAuth tokens) because detection accuracy varies sharply by format.
Methodology
Benchmarks use a corpus with labeled ground truth: real and synthetic secrets planted among realistic code, plus non-secret high-entropy strings to test false positives. Each tool scans the corpus and full git history, and findings are matched against labels to count true positives, false positives, and false negatives, yielding recall, precision, and false-positive rate. Detection techniques tested include pattern and regex matching, entropy analysis, and provider-specific signatures. Advanced benchmarks measure the verified-secret rate by attempting to validate detected credentials against their services, which dramatically cuts false positives. Fair comparison fixes the same corpus, secret taxonomy, and history depth, since scanning git history is essential because secrets persist in old commits even after removal.
How to Interpret Results
Recall and precision must be balanced: high recall with poor precision buries developers in false positives and gets the tool disabled, while high precision with low recall leaves real keys exposed. The verified-secret rate is the strongest signal, since a validated live credential is unambiguously actionable. Per-type breakdowns matter because a tool strong on cloud keys may miss custom or generic tokens. Confirm the tool scans full history, not just the current tree, because exposed secrets in old commits remain compromised. Treat synthetic-corpus scores as a relative ranking and validate the chosen tool against your own repositories and secret types.
Limitations
Synthetic corpora may not reflect the messy, varied ways real secrets appear, so scores can be optimistic. Generic or custom secret formats are hard to detect without specific signatures, capping recall. Verification can be intrusive or rate-limited and is not possible for all secret types. False positives depend heavily on the codebase's entropy profile, so rates vary by repository. The benchmark measures detection, not remediation or rotation, which is where real risk reduction happens. Best paired with rotation workflows and pre-commit prevention rather than relied on as the only defense.