Skip to content

Stored Secrets

Hardcoded secrets in your code are very common sources of code weakness. If your code is publicly hosted, attackers will find these credentials and use them to try to compromise your systems.

Even if your code is not hosted publicly, attackers that compromise your developers' machines and malicious developers will have access to these credentials. That's why it is important to create policies that address this weakness.

When viewing Findings results in the dashboard, the detected secrets will appear as Secret found in repository (secret-found-in-repository) with a description specifying one of the following supported secret types.

Supported Secret Types

  • Generic Types:

    • JSON Web Token
    • Private Key
  • Various SAAS API Keys, secrets and tokens:

    • Adafruit API Key
    • Adobe Client Secret
    • Age Secret key
    • Airtable API Key
    • Algolia API Key
    • Alibaba Secret Key
    • Asana Client Secret
    • Atlassian API Token
    • BitBucket Client Secret
    • Bittrex Access Key and Secret Key
    • Beamer API Token
    • Codecov Access Token
    • Coinbase Access Token
    • Clojars API Token
    • Confluent Access Token, Secret Key and delivery API Token
    • Databricks API Token
    • Datadog Access Token
    • Discord API key, client Secret
    • Doppler API Token
    • Dropbox API Secret, long lived API Token
    • Droneci Access Token
    • Duffel API Token
    • Dynatrace API Token
    • EasyPost API Token
    • Etsy Access Token
    • Facebook API key
    • Fastly API key
    • Finicity Client Secret, API Token
    • Flickr Access Token
    • Finnhub Access Token
    • Flutterwave Secret Key, Encryption Key
    • Frame.io API Token
    • Freshbooks Access Token
    • GoCardless API Token
    • GCP API key
    • GitHub various Token types
    • Gitlab Personal Access Token
    • Gitter Access Token
    • HashiCorp Terraform user/org API Token
    • Heroku API Key
    • HubSpot API Token
    • Intercom API Token
    • Kraken Access Token
    • Kucoin Access Token and Secret Key
    • Launchdarkly Access Token
    • Linear API Token and Client Secret
    • LinkedIn Client Secret
    • Lob API Key
    • Mailchimp API key
    • Mailgun private API Token and webhook signing key
    • MapBox API Token
    • Mattermost Access Token
    • MessageBird API Token
    • Netlify Access Token
    • New Relic API Key
    • NPM access Token
    • Nytimes Access Token
    • Okta Access Token and Secret Key
    • Plaid API Token
    • PlanetScale password, API and OAuth Token
    • Postman API Token
    • Pulumi API Token
    • PyPI upload Token
    • Rubygem API Token
    • RapidAPI Access Token
    • Sendbird Access Token
    • SendGrid API Token
    • Sendinblue API Token
    • Sentry Access Token
    • Shippo API Token
    • Shopify access Tokens and shared Secret
    • Slack Token and webhook Secret
    • Stripe (Production keys only)
    • Square Access Token
    • Squarespace Access Token
    • SumoLogic Access Token
    • Travis CI Access Token
    • Twilio API Key
    • Twitch API Token
    • Twitter API Key, Secrets and Tokens
    • Typeform API Token
    • Yandex API Key and Access Tokens
    • Zendesk Secret Key