Use every detector
The scanner runs Automic Vault isotope checks for AWS CLI, npm, pnpm, uv, Kubernetes, Terraform, Maven, mkcert, Helm, Node, and Rust tooling.
Local credential discovery
The secret scanner for AI agent machines
Run av secret-scanner before an agent session to find plaintext credentials in tool configs, dotenv files, shell profiles, and Automic Vault isotope detectors.
Last updated: May 15, 2026
An AI agent secret scanner should find plaintext credentials before the agent run starts. Automic Vault scans likely local secret paths, then pairs detection with runtime controls that prevent repeated plaintext exposure.
Agent-visible files
Scan where local coding agents actually look.
Repository scanners are useful, but agent exposure often starts in the developer home directory: CLI auth files, package manager config, cloud credentials, and environment files.
Probe likely secret paths
Look through .env, .npmrc, .pypirc, .netrc, shell profiles, GitHub CLI hosts, AWS credentials, and kubeconfig.
Point it at a repo
Use av secret-scanner --path ./repo to scan small text files while skipping generated build and dependency directories.
Emit machine-readable output
Use --json or --jsonl for CI logs, local preflight checks, and agent startup scripts.
From finding to fix
Scanning is the first move. Runtime control is the fix.
av secret-scanner reports high-confidence plaintext credentials without printing the secret value itself.
av save KEY stores credentials outside files that an agent can casually read.
av inject +KEY /abs/tool gives the credential to the approved executable, not to the model transcript.
Related protections