Secret scanning’s new smart detection is a part of Agent Week. A week of announcements focused on making it easier, faster, and safer to go from prompt to production.
AI is prolific at writing code, but it doesn’t always have safety in mind.
In our rollout of secret scanning with smart detection this week, 17% of scanned applications had deployments blocked for including secrets. Nearly 1 in 6 applications were potentially deploying API keys, authentication tokens, or certificates that we want to help developers be aware of or prevent.
When agents can build entire apps in minutes, they might accidentally insert sensitive data in your codebase. Checking for secrets used to be a manual review process that now needs to keep pace with AI-generated code. When more code is being written by a more diverse group of people, it’s important to have guardrails in place to rein in while keeping velocity high.
This is why we’ve enhanced secret scanning with smart detection to proactively monitor and prevent secrets from ever being leaked.
The AI codegen challenge
AI agents enable anyone to build applications–it’s great, until it’s not. While this democratizes development, it also introduces risks:
- Agents may generate code that includes hardcoded secrets
- Developers of varying experience might miss security issues
- The speed of AI development can outpace review processes
Simply put, when everyone can build apps with AI, security scanning needs to be smarter than ever.
Beyond manual configuration
Netlify has always included security scanning on all plans to catch secrets you’ve manually configured by either placing in your .env folder or adding in the Netlify Dashboard. This works well when you know every line of code going into your application and can anticipate which secrets to watch for.
But AI-native development is a different world. Agents might use authentication patterns, API integrations, or third-party services you haven’t explicitly configured for monitoring. Traditional security scanning that relies on manual secret configuration can miss these agent-introduced vulnerabilities.
Secret scanning with smart detection
Today we’re announcing enhanced secret scanning with smart detection, available on paid plans. This goes beyond checking for manually configured secrets to identify and prevent any potential secret in your codebase.
Smart detection automatically monitors and recognizes:
- API keys and authentication tokens from popular services
- Database connection strings and credentials
- Third-party service authentication patterns
- Cryptographic keys and certificates
How smart detection works
Secret scanning now analyzes your deployments using pattern recognition to identify potential secrets based on format, context, and common usage. When a potential secret is detected, the deployment is blocked until you can review and address the issue.
This enhanced security is designed specifically for the AI-native development:
- Proactive protection: Catches secrets that agents generate, even if you haven’t configured monitoring for them
- Velocity without compromise: Security scanning that keeps pace with rapid AI code generation
- Context awareness: Understands code patterns and deployment contexts to reduce false positives
- Developer control: Clear notifications and resolution paths when issues are detected
When potential secrets are detected, builds fail automatically and deploy logs pinpoint exactly where the issue was found, making resolution fast and straightforward.
For the rare false positive, you can add values to a safelist using the SECRETS_SCAN_SMART_DETECTION_OMIT_VALUES environment variable, or disable the feature entirely if needed.
Balancing velocity with security
Enhanced secret scanning ensures that the speed advantages of AI development don’t come at the cost of security. When potential secrets are detected, you get clear information about exactly where the issue was found in your deploy logs and guidance on how to resolve it. Maintaining your development velocity while protecting sensitive data.
Available now on Pro and Enterprise plans
Secret scanning with smart detection is available immediately for all Netlify customers on paid plans and enabled by default. Customers can disable this feature in their settings, while new customers can upgrade to Pro to access this advanced protection.
For teams building with AI agents, this provides enterprise-grade security that matches the pace of modern development workflows.
Wrapping up Agent Week
Over the past five days, we’ve introduced tools that bridge the gap from AI-generated prompts to production-ready applications:
- Vite Partnership & Plugin: Local development optimized for agent workflows
- Official Netlify MCP Server: Agents that can deploy, not just suggest
- Netlify DB, powered by Neon: Persistent storage for fullstack applications
- Enhanced security: Smart protection for AI-generated code
Together, these capabilities create an end-to-end agent experience. Enabling the shortest path for developers to go from prompt to production while maintaining the security and control that production applications require.
