SecRotate
Everything included in Free tier

Features That Actually Matter

Not just detection. SecRotate gives you control, ownership, and compliance for every secret in your codebase.

Control & Ownership

The real differentiator. Not just finding secrets—owning them.

Forced Ownership

Every secret must have an owner before it can be accepted. No anonymous risk acceptance.

  • Named accountability
  • Immutable audit trail
  • Cryptographic signing

Graduated Enforcement

Start with warnings, escalate to blocks. Four levels: Observe, Warn, Block Critical, Block All.

  • Safe to trial
  • Time-based escalation
  • Per-repo overrides

Frictionless Rotation

Rotate secrets in minutes. Dry-run first, preview changes, then execute with automatic rollback.

  • ~8 minute MTTR
  • Zero downtime expected
  • Post-rotation verification

Approval Workflows

Production secrets require CISO approval. Environment-based approval matrices.

  • Role-based access
  • Multi-level approval
  • Compliance ready

Detection Engine

Comprehensive, accurate, fast. The foundation everything else builds on.

5-Layer Scanner

Multi-layered detection: pattern matching, entropy analysis, structural analysis, cross-file correlation, and historical analysis.

354 Detection Patterns

Comprehensive coverage for AWS, Azure, GCP, GitHub, Slack, Stripe, and 50+ more providers.

DACD Confidence Scoring

7-factor weighted calculation reduces false positives to <2%. Only surface what matters.

API Verification

52 provider integrations verify credentials are active before alerting.

See technical architecture →

Compliance Ready

Built for auditors. Every action is logged, signed, and exportable.

  • Hash-chained accountability ledger (HMAC-SHA256)
  • Immutable justification records
  • Role-based access control (RBAC)
  • One-click audit exports (SOC2, ISO27001, PCI-DSS)
  • Named ownership for every decision

Audit Event Example

{
  event: RISK_ACCEPTED,
  timestamp: 2026-01-23T14:32:00Z,
  actor: jane@company.com,
  secret_fingerprint: sha256:a1b2c3...,
  justification: Temporary dev key...,
  expires_at: 2026-04-23T00:00:00Z,
  signature: hmac-sha256:...,
  chain_hash: sha256:...
}

See It In Action

Download the CLI and scan your first repository in under 60 seconds. Free forever.

Get Started Free