Secret Scanner
Purpose
The SailPoint Entro Claude Scanner plugin provides secret scanning functionality for prompts and Model Context Protocol (MCP) tool calls executed within the Claude Code CLI. The integration ensures capturing exposed secrets on those actions, and enables blocking said actions when a secret was detected.
What This Integration Is
The Entro Secret Scanner scans prompts and MCP tool calls before sending them. If an exposed secret was detected, we log it and send the log to the SailPoint Entro platform.
We have 2 versions of this plugin:
-
One version blocks the submission of the prompt/tool execution in the event of an exposed secret.
-
The other one acts silently, and lets the action continue without interruption
Both log the event.
Key Capabilities
-
Secret Scanning: Scans prompts and tool calls for exposed secrets.
-
Exposure logging: Logs secret exposure events and sends them to SailPoint Entro.
-
Leakage Blocking: Blocks the submission of the prompt, or the tool execution, in order to prevent leaking secrets.
Deployment Model
The plugin is installed locally via the Claude CLI or through the Claude Admin Console, and communicates outbound to SailPoint Entro Control Plane using an authenticated token.
Installation
Use Claude Plugin Installation for the full flow (add the SailPoint Entro marketplace, then install this plugin): local or organization.
High-Level Architecture
+---------------------+ +------------------------+
| Claude Code CLI | | Entro Console |
| (Local Environment)| | (Control Plane) |
+---------+-----------+ +-----------+------------+
| ^
| Exposed Secret Log |
+-----------------------------------+
(Auth: Entro Token)
Demo
Let's see how the Secret Scanner plugin helps us block secrets exposure and leakage. In this brief demo, we write a prompt with an exposed GitHub token. The plugin detected the exposure, blocked the submission of the prompt, and alerted the user.

The plugin sent the exposure event to the SailPoint Entro platform, and you can view it there. Log in into your SailPoint Entro account and navigate to "Exposed Inventory" under "Non-Human Identities". You can view the exposed secret:

Troubleshooting and Validation
-
Run
claude plugin listRun the following command to list plugins:
claude plugin list -
Write a prompt
Write a prompt with a dummy secret (not a real one!) to validate functionality.
Common issues
| Issue | Cause | Resolution |
|---|---|---|
| Marketplace add fails | Invalid GitHub token | Verify token |
| Plugin not found | Marketplace missing | Re-add marketplace |
| No logs | Missing token | Re-run init |
| Auth error | Token expired | Regenerate token |
Support
Contact SailPoint Entro Support via your Customer Success Manager or approved support channels.
Permissions Reference
Summary
The Claude Secret Scanner plugin operates with the minimum permissions required to intercept and log exposed secrets in prompts and MCP tool calls.
Data collected
-
Redacted exposed secret
-
Invocation timestamp
-
IP Address
-
Host name
-
Agent name (Claude)
-
Claude executable path
-
Claude account email, or system username if not available
Security controls
-
Token-based authentication (AES-256)
-
TLS 1.2+ encrypted transport
-
Stateless processing with no local secret storage