AI-Powered Scanning
The -ai flag enables neural semantic analysis for detecting secrets that traditional regex patterns miss.
Why AI Semantic Detection?
Traditional regex patterns can only detect known secret formats. The AI-powered scanner understandscontext, variable semantics, and entropy patterns to catch:
- Novel secret formats not in pattern databases
- Obfuscated or encoded credentials
- Context-dependent false positives
- Semantic patterns (variable names indicating secrets)
Using the -ai Flag
Add -ai or --ai to any scan command:
# AI-powered scan of staged files azath scan -ai # AI deep scan of entire repository azath scan-all --ai # AI check specific files azath check -ai src/config.js src/auth.ts
What AI Detection Analyzes
Variable Entropy
Measures randomness in string values. High entropy + context clues = likely secret.
Semantic Context
Understands that password = "..." or api_key = "..."are suspicious regardless of value format.
Assignment Patterns
Detects hardcoded values assigned to variables with secret-indicating names.
False Positive Filtering
AI context awareness reduces false positives from test data and documentation.
AI Detection Confidence Levels
| Level | Confidence | Action |
|---|---|---|
| CRITICAL | 95%+ | Blocked commit - definite secret detected |
| HIGH | 85-94% | Blocked commit - likely secret |
| MEDIUM | 70-84% | Warning - suspicious pattern, review recommended |
| INFO | 50-69% | Noted for review, does not block commit |
Example Output
$ azath scan -ai
◈ NEURAL CONTAINMENT ACTIVE ◈
Model: azath-semantic-v2
→ Analyzing variable entropy... COMPLETE
→ Detecting semantic patterns... COMPLETE
→ Evaluating context clues... COMPLETE
🧠 AI DETECTION: HIGH ENTROPY ASSIGNMENT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
FILE: auth.js:42
CONTEXT: api_key = "sk_live_51M..."
CONFIDENCE: 98.7% (Semantic Analysis)
REASONING: Variable name "api_key" + high entropy
string + Stripe prefix pattern
⚠️ AI SUSPICIOUS: CONTEXTUAL RISK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
FILE: utils/helper.ts:18
CONTEXT: password = process.env.PASS
CONFIDENCE: 72% (Context Analysis)
REASONING: Variable named "password" - verify env var
usage pattern
✓ AI SCAN COMPLETE. 1 CRITICAL, 1 WARNING.Combining with Other Flags
# AI scan with strict mode azath scan -ai --strict # AI scan with custom config azath scan-all -ai --config ./custom-azath.yml # AI scan with JSON output for CI azath scan -ai --format json
Performance Considerations
| Scan Type | Typical Speed | Best For |
|---|---|---|
| Standard | < 10ms | Pre-commit hooks, fast CI |
| AI-Powered | 50-200ms | Deep scans, novel detection |
Configuration
Configure AI behavior in your azath.yaml:
# azath.yaml
ai:
# Enable AI by default for all scans
enabled: false
# Confidence threshold for blocking (0-100)
block_threshold: 85
# Enable semantic analysis
semantic_analysis: true
# Enable entropy detection
entropy_detection: true
# Custom semantic patterns
semantic_patterns:
- variable: "internal_token"
confidence_boost: 20
- variable: "staging_key"
confidence_boost: 10Best Practices
- Use standard mode for pre-commit hooks (speed)
- Use AI mode for CI/CD pipelines and deep audits
- Review MEDIUM/INFO detections to tune your allowlist
- Combine both: Standard for commit, AI for PR checks