Skip to content

4. Your first findings

Once a scan completes, the Dashboard and Findings pages start populating. Here's what to expect and how to act.

What a finding looks like

Every finding has:

  • Statusactive, suppressed, resolved, false_positive, customer_restricted, or stale.
  • Source — where we found it: a GitHub repo, a commit, a public URL, or a JS bundle.
  • File path + line — for code findings, the exact location.
  • Pattern + secret type — what kind of credential we believe this is (e.g. OpenAI, AWS, Stripe).
  • Composite score (0–100) — our confidence that this is a real, exploitable credential.
  • Validation status — whether we tested the credential against the issuing service:
    • valid — the key is live right now
    • invalid — the service responded "this key doesn't exist or is disabled"
    • unvalidated — we don't have a validator for this secret type, or the network call failed
  • Masked credential — we show only the first 4 and last 4 characters. We never store the full credential value.

What to look at first

Sort the findings list by score, descending. The top of the list is where to start:

  1. Score 90+ AND validation = valid → drop everything. This is a live key in a public location.
  2. Score 70–89 AND validation = valid → triage today.
  3. Score 70+ AND validation = unvalidated → spot-check. We couldn't auto-test but the pattern is strong.
  4. Score < 70 → review when you have time; lots of these are old test keys, examples in docs, or false positives.

Resolve, suppress, or mark false-positive

Every finding has four action buttons in the detail page:

Action When to use
Resolve You rotated/revoked the credential and removed it from the source. The key is dead.
Suppress The exposure is acceptable risk for now (e.g. test environment) — hide from the active view.
False positive Our detector mis-matched. The text is not actually a credential.
Restrict The key is real but IP-restricted, internal-only, or otherwise not exploitable as-found.

If a credential appears in multiple places (e.g. one AWS key in 12 commits), they all share the same hash. Rotating the credential once and clicking Resolve on one finding closes the loop for that key — but you'll want to suppress or resolve each of the sibling findings explicitly so they stop appearing in your active view. The finding detail page has an "Also found at" card listing all sibling locations.

Remediation guidance

Every active finding with a known secret type (OpenAI, AWS, Stripe, etc.) shows a step-by-step Remediation card with:

  • A link to the issuing service's revocation page
  • The exact sequence of actions (revoke → rotate → re-deploy)
  • The audit-log endpoint where you can check if the key was used between exposure and revocation

For unknown patterns or generic secrets, follow the standard pattern: revoke first, rotate second, hunt for usage third.

Why a high-score finding might still be ignorable

We try to be honest about uncertainty. A finding can score high (the pattern + entropy are very credential-like) and still be:

  • A test key that's intentionally public (e.g. Stripe's pk_test_…)
  • An example in documentation
  • A credential to a sandbox environment the company explicitly publishes

For these, mark the finding False positive and consider creating a suppression rule to prevent the same pattern from re-flagging at the same path on future scans.

What happens automatically

CredWatch does several things without you asking:

  • Validates the credential — if we have a validator for the secret type, we test it against the issuing service. Most validators run within a minute of the finding being created.
  • Sends an immediate alert — score ≥ 80 + validation = valid → email/Slack/PagerDuty fires right away.
  • Sends a daily digest — every morning at 08:00 UTC we email a summary of the previous day's validated findings.
  • Auto-resolves on rescan — if a credential is rotated/removed and we don't see it on the next scan, we automatically mark the finding resolved with a note explaining what happened.
  • Auto-marks stale — active findings we haven't seen in 90 days transition to stale so they don't clutter your active view forever. You can reopen them anytime.

You've finished the getting-started flow. Continue with: