Skip to content

Security & Safety

Secret Scanning

Before anything is sent to an LLM, CommitBee scans all staged content with 24 built-in patterns across 13 categories:

CategoryPatterns
Cloud ProvidersAWS access key, AWS secret key, GCP service account, GCP API key, Azure storage key
AI/MLOpenAI key, Anthropic key, HuggingFace token
Source ControlGitHub token, GitHub fine-grained token, GitLab token
CommunicationSlack token, Slack webhook, Discord webhook
Payment & SaaSStripe key, Twilio key, SendGrid key, Mailgun key
DatabaseConnection strings (MongoDB, PostgreSQL, MySQL, Redis, AMQP)
CryptographicPrivate keys (PEM), JWT tokens
GenericAPI key assignments, quoted secrets, unquoted secrets

Full pattern list

Every built-in pattern, grouped by category. Names match the strings used in disabled_secret_patterns.

#CategoryNameDetects
1Cloud ProvidersAWS Access KeyAWS IAM access key ID (AKIA...)
2Cloud ProvidersAWS Secret KeyAWS secret access key assignment (40-char base64)
3Cloud ProvidersGCP Service AccountGoogle Cloud service account JSON key ("type": "service_account")
4Cloud ProvidersGCP API KeyGoogle API key (AIza...)
5Cloud ProvidersAzure Storage KeyAzure storage account key (AccountKey=...)
6AI/MLOpenAI KeyOpenAI API key (legacy sk-..., project sk-proj-..., or service account sk-svcacct-...)
7AI/MLAnthropic KeyAnthropic API key (sk-ant-...)
8AI/MLHuggingFace TokenHuggingFace access token (hf_...)
9Source ControlGitHub TokenGitHub personal access or OAuth token (ghp_..., ghs_...)
10Source ControlGitHub Fine-Grained TokenGitHub fine-grained personal access token (github_pat_...)
11Source ControlGitLab TokenGitLab personal access token (glpat-...)
12CommunicationSlack TokenSlack bot, user, or app token (xoxb-, xoxp-, xoxa-, xoxr-, xoxs-)
13CommunicationSlack WebhookSlack incoming webhook URL (hooks.slack.com/services/...)
14CommunicationDiscord WebhookDiscord webhook URL (discord.com/api/webhooks/...)
15Payment & SaaSStripe KeyStripe secret or restricted API key (sk_live_, sk_test_, rk_live_, rk_test_)
16Payment & SaaSTwilio KeyTwilio API key SID (SK + 32 hex chars)
17Payment & SaaSSendGrid KeySendGrid API key (SG.<id>.<secret>)
18Payment & SaaSMailgun KeyMailgun API key (key- + 32 hex chars)
19DatabaseConnection StringDatabase or message broker URI (mongodb://, mongodb+srv://, postgres://, postgresql://, mysql://, redis://, amqp://)
20CryptographicPrivate KeyPEM-encoded private key (-----BEGIN ... PRIVATE KEY-----, RSA, EC, etc.)
21CryptographicJWT TokenJSON Web Token (three-part Base64 eyJ...)
22GenericGeneric API KeyGeneric api_key / apikey assignment (20+ chars)
23GenericGeneric SecretQuoted password / secret / token assignment (8+ chars)
24GenericGeneric Secret (unquoted)Unquoted password / secret / token assignment (16+ chars)

You can extend or customize the pattern set via config:

toml
# Add custom regex patterns
custom_secret_patterns = ["CUSTOM_KEY_[a-zA-Z0-9]{32}"]

# Disable built-in patterns by name (case-insensitive)
disabled_secret_patterns = ["Generic Secret (unquoted)"]

If secrets are found:

  • Ollama (local): Warning displayed, proceeds (data stays on your machine)
  • Cloud providers: Hard error, commit blocked. Use --allow-secrets to override

Scanning only checks added lines — removed lines are ignored (they’re already in git history).

Merge Conflict Detection

CommitBee checks for unresolved merge conflict markers (<<<<<<<, =======, >>>>>>>) in staged changes. If found, the commit is blocked with an actionable error.

The conflict checker is smart about false positives:

  • Ignores conflict markers in test files and documentation
  • Ignores diff headers (lines starting with --- or +++)
  • Uses component-based path matching to avoid false positives from CommitBee’s own source code

Data Privacy

With the default Ollama provider, no data ever leaves your machine. The entire pipeline runs locally.
Cloud providers (OpenAI, Anthropic) send the prompt over HTTPS — which includes your diff and symbol information. Choose your provider accordingly.