QKD-Protected Secret Reporting: Quantum Key Distribution for Secure Transmission of Detected Credentials in Automated Code Scanning

Automated code scanners routinely detect hardcoded secrets---API keys, private keys, database credentials---yet transmit these findings in plaintext through CI/CD pipelines, dashboards, and webhook notifications, creating a secondary exposure vector. We present a novel approach that integrates BB84 quantum key distribution (QKD) simulation into the code scanning pipeline, encrypting all detected secrets with AES-256-GCM using QKD-derived keys before they leave the scanner process. Our implementation operates within the QCrypton platform using a full BB84 protocol simulation with basis reconciliation, eavesdropper detection at an 11% error threshold, and privacy amplification via LSH-256 hashing (KS X 3262). We demonstrate that the approach adds negligible overhead (<50ms for typical scan results), eliminates plaintext secret exposure in scan reports, and provides a quantum-safe transitional architecture. The system detects 30+ secret types across six programming languages (JavaScript, Python, Go, Java, Rust, C/C++) and wraps each finding individually with unique initialization vectors. To our knowledge, this is the first code scanner to employ quantum key distribution for protecting its own findings.