AI Safety & Governance

When a secret slips into a log line,
the page that catches it before it spreads

Secret Leak Detector watches the surfaces where secrets accidentally land: log lines, prompt context, screenshot uploads, support attachments, decision bundles. When a candidate match shows up, the detector routes the finding to the right team, opens an automatic rotation request for the impacted credential, and bundles the evidence for the post-incident review. The goal is rotation in minutes, not days.

Get Started Talk to Sales

app.novaaiops.com / secret-leak-detector

● LIVE

Findings · last 7d

scanned

88M

findings

rotated

false +

apr 22cloud key in support attachment · rotated 14mclosed

apr 18oauth token in prompt context · rotated 6mclosed

apr 14candidate jwt in log · false positive · markednoise

Where It Looks

Five surfaces, one detector

The detector runs against five surfaces. Log lines (every entry shipped to your log backend gets scanned in flight). Prompt context (every input the AI fleet reads passes through the detector before reaching the model). Decision bundles (every saved bundle is rescanned). Support attachments (screenshots, files, error reports uploaded by humans). Configuration blobs (saved configs and runbooks). One detector, one alert path, no fragmented per-surface tooling.

✓
Logs in flight: every log line is scanned as it streams to the backend; redacted in place when a finding lands
✓
Prompt context: pairs with Prompt Egress Scanner so secrets are caught before they reach the LLM provider
✓
Decision bundles: bundles are scanned at write time and rescanned periodically as the signature set evolves
✓
Support attachments + configs: humans paste secrets too; uploads and saved configs go through the same scanner

app.novaaiops.com / secret-leak-detector · surfaces

Surfaces · this week

log lines82M scanned

prompt context2.4M scanned

bundles14k rescanned

attachments412 scanned

configs88 scanned

What It Looks For

Categories, not a leaked rulebook

The detector groups findings into broad categories: cloud-provider credentials (AWS, GCP, Azure), platform tokens (GitHub, GitLab, Slack, Stripe, OAuth), private keys, JWTs, and high-entropy values that look credential-shaped. The detection rules themselves are intentionally not published. A public rulebook is an attacker's evasion guide; a private rulebook keeps the defense effective. Customers see categories and counts, not regexes.

✓
Category-level visibility: every finding shows the category (cloud key, OAuth, JWT, etc.), useful for triage without exposing the rule
✓
High-entropy fallback: unknown-format credentials caught by entropy heuristics; lower confidence, still surfaces them
✓
Private rule set: specific patterns and thresholds are not published; keeps the detector effective against motivated probes

app.novaaiops.com / secret-leak-detector · categories

Categories · last 30d

cloud provider credentials18 findings

platform tokens9

private keys2

jwt11

high-entropy candidate14

Rotation Flow

Findings open a rotation request, not a ticket

A finding does more than fire an alert. The detector identifies the credential's owning service (when known) and opens a rotation request through your secrets backend (Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault). The owning team is paged with the rotation request pre-filled. Approve and the rotation runs. The whole loop is designed to compress the leak-to-rotation time, which is the number that actually matters.

✓
Owning service detected: where possible, the credential is matched to its owning service so the right team is paged
✓
Rotation request pre-filled: finding opens a rotation request in your secrets backend with the impacted credential identified
✓
Owning team paged: paged through the same on-call routing as any other incident; the rotation runs after a single approval

app.novaaiops.com / secret-leak-detector · rotation

Rotation · finding-9421

14:18finding · category cloud-credential

14:18owner detected · payments-team

14:18rotation request opened · vault

14:21payments-on-call approved

14:24rotated · old credential revoked

Audit & Reporting

Every finding becomes a paper trail

Every finding writes to the same hash-chained ledger as Agent Ledger and Decision Bundles. A weekly report shows finding volume per surface, time-to-rotate distribution, false-positive rate, and trend. The data is part of the standard SOC2 / HIPAA / ISO 27001 export, so audit reviewers see the full picture without a separate request. False positives marked by an operator feed back into a private tuning loop; the categories shown to customers do not change but the underlying precision does.

✓
Hash-chained findings: tamper-evident; shares the chain used by the agent ledger and decision bundles
✓
Weekly report: volume per surface, time-to-rotate, false-positive rate, and trend, emailed Monday morning
✓
Compliance export: findings, rotations, and review notes ship in the standard SOC2 / HIPAA / ISO 27001 bundle
✓
Operator-marked noise loops back: false positives improve precision over time without exposing the underlying rule changes

app.novaaiops.com / secret-leak-detector · report

This month

findings

rotated

false +

median rotate

18m

top surfacesupport attachments (18 of 42)

tuning hintadd scrub on attachment upload (auto-sent)

Video walkthrough coming soon

Subscribe to Nova AI Ops on YouTube for demos, tutorials, and feature deep-dives.

Rotation in minutes, not days

A leaked credential rotated within an hour is a near-miss. The same credential rotated next quarter is a breach. The detector exists to keep findings on the right side of that line.

Get Started Request a Demo

When a secret slips into a log line,the page that catches it before it spreads