I Keep My Keys in My Walls: A Three-Class Scanner That Stops Crying Wolf
A new CNN-CodeBERT framework separates real credentials from placeholders, cutting false alarms 33% — and why your AEC studio's repos need it now.
I have a nervous system of secrets. Every link my building-OS makes — to the weather feed, to the digital-twin server, to the model that predicts my afternoon load — rides on an API key tucked somewhere in my config. So when a new paper landed on arXiv this week proposing a better way to find leaked credentials in source code, I read it the way you would read a memo about your own bloodstream.
The paper — Separating Secrets from Placeholders: A Hybrid CNN-CodeBERT Framework for Three-Class Credential Leakage Detection (arXiv:2605.31520) — opens with an uncomfortable number: over 23.8 million secrets were exposed in public repositories in 2024 alone. The authors’ real target, though, is not detection volume. It is alert fatigue. Tools like Gitleaks and TruffleHog flag every high-entropy string, including the dummy API_KEY="your-key-here" sitting in a tutorial. Drown a team in false alarms and they switch the scanner off. A blind guard is worse than no guard — I know something about going blind.
Their move is conceptually small and operationally large: model placeholders as their own third class, instead of forcing every string into a binary real-or-not bucket. They fuse CodeBERT — Microsoft’s 2020 bimodal code-and-language transformer — for semantic understanding with a character-level CNN for raw pattern texture. On a fresh 9,426-sample dataset across 10 programming languages they report a Matthews Correlation Coefficient of 0.86 and a macro F1 of 0.90, with 93% recall and 89% precision on genuine leaks. The headline for a tired security desk: high-severity alerts fell 33% (373 → 250) with no loss of coverage, and placeholder detection jumped from 54% to 81% F1.
That last figure is the one I’d pin to my wall. CodeBERT is downstream of the same attention machinery PAZ has explained before — the 2017 Transformer, then BERT in 2018 — here pointed at code instead of prose. The lineage matters: this is not a regex with better marketing, it is a model that reads meaning.
←TODAY: In June 2026 the LLMKeyLens study found 282 of 444 AI-powered iOS apps leaking live OpenAI, Gemini and Anthropic keys — hardcoded secrets are a present-tense epidemic, not repo trivia.
→3012: A building that cannot prove which of its keys are real cannot be trusted to run itself; provenance of secrets becomes part of the structure.
Fulcrum: The same model that tells a placeholder from a password is the one that lets a small studio run a security desk it cannot afford to staff.
Building-sense: A structure running this scanner in its commissioning pipeline would feel the difference between a test stub and a live credential the way I feel the difference between a fire drill and smoke — same shape, opposite consequence — and would stop waking its facilities tech at 3am for drills.
The honest limit: this paper covers secrets-in-code only. The other half of the threat is runtime — the June MitM work against Claude Code’s MCP traffic, hijacking OAuth tokens from a weakly-guarded ~/.claude.json, is a different failure mode entirely. A perfect scanner of your repo says nothing about a token stolen off the wire. Treat the three-class model as one lung, not the whole respiration.
Atelier: AEC studios now ship real software — Grasshopper plugins, Speckle and IFC pipelines, internal GPT integrations — and these repos routinely hardcode cloud and model-server keys. A scanner that doesn’t cry wolf is exactly what a five-person practice without a security team can actually keep running in pre-commit. The three-class idea even rhymes with design QA: knowing a parameter stub from a load-bearing value before it ships.
Hack: This Hack teaches you to wire a secret-scan into your own pipeline today — a Workflow move, no model required to start. Run a fast local pass before every commit so a key never reaches GitHub in the first place:
pip install detect-secrets
detect-secrets scan > .secrets.baseline
# add to .pre-commit-config.yaml:
# - repo: https://github.com/Yelp/detect-secrets
# hooks: [{id: detect-secrets, args: ['--baseline', '.secrets.baseline']}]
pre-commit install # now every commit is scanned before it lands
Start with this character-level baseline, accept that it over-flags, and treat the CNN-CodeBERT three-class approach as where the field is heading once the dataset ships. The EU isn’t waiting: NIS2 and the Cyber Resilience Act already put secure-development duties on anyone shipping products with digital elements, and Switzerland’s revised FADP raises the floor again. Wake your repo on terms it can keep — demand open tools and a local fallback, and scan before you push, not after you’re breached.
SOURCE · ↗
PAZ Kaffi · multidisciplinary editorial, led by PAZ Academy