Secret Scanner
Purpose
The SailPoint Entro VS Code Secret Scanner plugin scans prompts and Model Context Protocol (MCP) tool calls executed from GitHub Copilot in Visual Studio Code. It detects exposed secrets before they are sent and can block the action when policy requires it.
What This Integration Is
The Entro Secret Scanner scans prompts and MCP tool calls before sending them. If it detects an exposed secret, it logs the event and sends it to SailPoint Entro.
Two Plugin Variants Are Available:
-
secret-scannerblocks the action when a secret is detected. -
secret-scanner-non-blockinglogs the event and allows the action.
Both variants log the event.
Key Capabilities
-
Secret scanning: Scan prompts and tool calls for exposed secrets.
-
Exposure logging: Send exposure events to SailPoint Entro.
-
Leakage blocking: Prevent prompt submission or tool execution when required.
Deployment Model
Install the plugin from the SailPoint Entro marketplace in VS Code for an individual user, or recommend it in a shared workspace. The plugin communicates outbound to the SailPoint Entro Control Plane using an authenticated token.
Installation
Use VS Code Plugin Installation for the full flow:
High-Level Architecture
+---------------------+ +------------------------+
| VS Code + Copilot | | Entro Console |
| (Local Environment)| | (Control Plane) |
+---------+-----------+ +-----------+------------+
| ^
| Exposed Secret Log |
+-----------------------------------+
(Auth: Entro Token)
Troubleshooting and Validation
-
Check the plugin is installed
Open the GitHub Copilot plugin list in VS Code and confirm
secret-scanner@entro-securityorsecret-scanner-non-blocking@entro-securityis installed for your user. -
Write a test prompt
Write a prompt with a dummy secret to validate functionality.
Common issues
| Issue | Cause | Resolution |
|---|---|---|
| Marketplace add fails | Invalid GitHub token | Verify token |
| Plugin not found | Marketplace missing | Re-add marketplace |
| No logs | Plugin not installed | Install the plugin |
| Auth error | Token expired | Regenerate token |
Support
Contact SailPoint Entro Support through your Customer Success Manager or approved support channels.
Permissions Reference
Summary
The VS Code Secret Scanner plugin uses the minimum access required to intercept and log exposed secrets in prompts and MCP tool calls.
Data collected
-
Redacted exposed secret
-
Invocation timestamp
-
IP address
-
Host name
-
Agent name
-
VS Code executable path
-
Signed-in account email, or system username if unavailable
Security controls
-
Token-based authentication
-
TLS 1.2+ encrypted transport
-
Stateless processing with no local secret storage