Your scanner finally
knows what you're
coding

Morphex turns your CI/CD into a provenance engine that knows the difference between a test fixture, a documentation example, and an active production key.

INSTALL CLI
$
VERIFIES CREDENTIALS AGAINST
GITHUB
GITLAB
SLACK
STRIPE
SENDGRID
HUGGINGFACE
CAPABILITIES

See It In Action

Every component below is a working demonstration of how MORPHEX processes, classifies, and verifies secrets.

The Alert Avalanche.

Traditional scanners don't understand context. They bury you in hundreds of false positives from tests, mocks, and examples.

TRADITIONAL REGEX PASS
Found 6 critical secrets.
MORPHEX PROVENANCE PASS
Awaiting context analysis...
func parseConfig() error { file, err := os.Open("config.json") if err != nil { log.Fatal(err) } defer file.Close() // ... reading raw bytes decoder := json.NewDecoder(file) err = decoder.Decode(&conf) return err } func getTestToken() string { // Never use in prod return "test_123_abc" }
[CRITICAL] Secret Exposed
tests/auth_mock.json:42
sk_test_4eC39HqLyjWDarjtT1zdp7dc
SUPPRESSED: Test Fixture
[CRITICAL] Secret Exposed
README.md:118
ghp_ABCDEFghijklmnop1234567890
SUPPRESSED: Documentation Example
[CRITICAL] Secret Exposed
src/utils/crypto.ts:15
const AES_IV_TOKEN
SUPPRESSED: Crypto Constant
[CRITICAL] Secret Exposed
config/default.js:8
dummy_password_123
SUPPRESSED: Placeholder Value
[CRITICAL] Secret Exposed
scripts/setup.sh:22
export AWS_ACCESS_KEY_ID=xxx
SUPPRESSED: Template Variable
[CRITICAL] Secret Exposed
src/api/stripe.go:84
sk_live_8f3d9a2b...
SUPPRESSED: Verified Production Key
VERIFIED

Deep Obfuscation Detection

Developers (and attackers) hide secrets in ways that break traditional regex scanners. MORPHEX reconstructs the original secret before running it through the classification pipeline.

  • String Concatenation
  • Variable Interpolation
  • Reversed Strings
  • ROT13 Encoding
# String concatenation
prefix = "sk_live_"
key = prefix + "4eC39HqLyjWDarjtT1zdp7dc"

# Variable interpolation
base = "ghp_"
token = f"{base}ABCDEFghijklmnop1234567890"

# Reversed string
secret = "cd7pdz1TjraDjWyL9qH3Ce4_evil_ks"[::-1]
HOVER TO DECODE
# [MORPHEX: CONCATENATION RESOLVED]
prefix = "sk_live_"
sk_live_4eC39HqLyjWDarjtT1zdp7dc

# [MORPHEX: INTERPOLATION RESOLVED]
base = "ghp_"
ghp_ABCDEFghijklmnop1234567890

# [MORPHEX: REVERSAL DECODED]
sk_live_4eC3Hq9LyjWDarjt1zdp7dc
LIVE FEED
FILES: 27,481FP RATE: 0.02%

The Noise Matrix

Traditional scanners drown you in false positives. Watch as MORPHEX isolates the true signal from the noise.

sk_test_4eC39HqLyj
ghp_ABCDEFghijkl
const API_KEY =
xoxb-1234567890-
password123
secret_token
AWS_ACCESS_KEY
AKIAIOSFODNN7E
eyJhbGciOiJIUzI1
Bearer eyJhbGci
sk_live_8f3d9a...
sk_live_xxxxxxxx
client_secret
oauth_token
private_key
BEGIN RSA PRIVATE
test_secret_key
mock_password
NOISE DROPPED
SIGNAL VERIFIED
SYNAPSE ENGINE
COMPUTE LOAD0.0%
AVG LATENCY22.00ms
MEMORY0MB
THROUGHPUT0 ops/s
UPTIME: 99.97%NOMINAL
ARCHITECTURE

The Provenance Pipeline

Every candidate walks through four stages. Only what survives all four gets reported.

password123
AKIAIOSFODNN7E
eyJhbGciOiJIUzI1
dummy_token
[RAW_TOKEN]
sk_live_4eC39HqLyj...
tests/mock_key.json

1. EXTRACTION

Deep AST parsing reconstructs obfuscated strings.

prefix = "sk_live_"
key = prefix + "4eC3..."
sk_live_4eC39HqLyj...

2. SYNAPSE

Evaluates 5 contextual signals to determine confidence.

Entropy: 0.998
Context: Valid
Role: API Key

3. AVAT AGENT

Runs 7 independent filters to aggressively eliminate false positives.

Suppressed 104 Candidates
1 High Confidence Signal

4. VERIFICATION

Safely pings the target service API to verify the credential is live.

api.stripe.com
BENCHMARKS

The Proof is in the Data

67 real-world repositories. Three scanners. MORPHEX finds what regex misses โ€” and proves every finding is real.

MORPHEX
0
True Positives
GITLEAKS
0
Findings
TRUFFLEHOG
0
Findings

TELEMETRY DASHBOARD

MORPHEX.STDOUT
MORPHEX FILES: 0
GITLEAKS FILES: 0
TRUFFLEHOG FILES: 0