Semgrep Secrets is a static application security testing tool that detects hardcoded secrets, API keys, and sensitive data in source code. The tool uses semantic analysis powered by Semgrep's data flow engine to understand how credentials exist and are used within code, going beyond traditional regex-based detection methods. The product performs entropy analysis and validation by sending requests to corresponding services (such as AWS, Slack, or GitHub) to determine if detected tokens are still valid. This validation occurs locally within the user's infrastructure without sending secrets to Semgrep's servers. The tool prioritizes valid credentials using a post-processor to reduce false positives. Semgrep Secrets integrates into developer workflows by providing alerts in code editors, code review processes, and through pre-commit hooks to prevent secrets from being committed to Git repositories. Validated secrets are surfaced to developers as pull request comments for immediate remediation. The tool supports custom rule writing, allowing organizations to detect secrets specific to their internal services. It is part of the Semgrep AppSec Platform, which provides a unified interface for managing code security, software supply chain vulnerabilities, and secrets detection. The product leverages both Semgrep's OSS and Pro Engines for analysis.