Hybrid CNN-CodeBERT Framework Cuts Credential False Positives by 33%

A team of researchers (Baby, Shah, Liang, Zhang) has developed a hybrid CNN-CodeBERT model to tackle the growing problem of credential leakage in public source code repositories—where over 23.8 million secrets were exposed in 2024 alone. Existing tools rely on rigid pattern matching and binary classification (secret vs. non-secret), leading to high false-positive rates because they cannot differentiate genuine credentials from placeholder or weak ones. The new framework introduces a three-class classification (genuine, placeholder/weak, non-credential) by combining CodeBERT’s semantic understanding with character-level pattern recognition via CNNs.

Evaluated on a newly constructed dataset of 9,426 samples spanning 10 programming languages, the model achieves a Matthews Correlation Coefficient of 0.86 and a macro F1-score of 0.90. It attains 93% recall and 89% precision for genuine credential leaks while reducing high-severity alerts by 33.0% (from 373 to 250) without sacrificing security coverage. Critically, placeholder/weak credential detection improved from 54% to 81% F1-score. Under leave-one-language-out evaluation, 9 of 10 languages maintained F1 above 0.80, demonstrating strong cross-language generalization. The paper has been accepted at ICSME 2026.