Secrets scan runs as part of SCA scan and detects hard-coded secrets like passwords, API keys, and tokens in git repos. The default rules used for secrets scanning can be found here


To override the default secret rules  

  1. Download the secrets config file locally

  2. Add/delete/update rules

  3. Set an environment variable called SECRET_RULES=/path/to/rules.toml

To run a full scan of your source code for secrets, include --no-git option to your SCA scan 


vsp_defense scan --lang=java --api-key=<YOUR_API_KEY> --path=<path to your project> --project-name="My Java Project" --no-git




--no-git (false, true) - Perform full scan for secrets