First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
2
Score
75/100
Findings (2)
Detects GitHub personal access tokens
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Remove the GitHub token immediately and revoke it at github.com/settings/tokens. Use short-lived tokens via GitHub Apps instead of hardcoded PATs.
Likely FP if the matched string is a placeholder (e.g., ghp_xxxxxxxxxxxx) or appears in documentation describing token format rather than containing a real token.
Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration
"env": { + "GITHUB_PERSONAL_ACCESS_TOKEN": "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"Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.
Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).