🕵️Secret Detection
Summary
Arnica detects hardcoded secrets within all commits of each source code repository it scans, and defines the risk severity for each secret Identified. The risk severity is determined using Arnica's native validation logic or in the case of custom secrets, the severity is defined within the customer's custom regex detectors.
Secret validation capabilities
Arnica maintains a library of validators used to determine the validity, risk level and exploitability of each hardcoded secret. Once a secret has been identified and validated output from these validators is used to determine the severity and priority of the secret.
Secret Support Matrix
Adafruit API Key
✅
Adobe Client ID (OAuth Web)
✅
Adobe Client Secret
✅
Age secret key
✅
Airtable API Key
✅
Algolia API Key
✅
Alibaba AccessKey ID
✅
Alibaba Secret Key
✅
Asana Client ID
✅
Asana Client Secret
✅
Atlassian API token
✅
Auth0 Client Secret
✅
✅
Authress Service Client Access Key
✅
AWS Access Token
✅
✅
Azure Storage
✅
✅
Azure Tenant ID and Access Key
✅
✅
Base64 Encoded GitHub Fine-Grained Personal Access Token
✅
✅
Base64 Encoded GitHub Personal Access Token
✅
✅
Beamer API token
✅
Bitbucket Client ID
✅
Bitbucket Client Secret
✅
Bittrex Access Key
✅
Bittrex Secret Key
✅
CircleCI API Token
✅
✅
Clojars API token
✅
Codecov Access Token
✅
Coinbase Access Token
✅
Confluent Access Token
✅
Confluent Secret Key
✅
Contentful delivery API token
✅
CosmosDB Endpoint Access
✅
✅
Credentials in Web URL
✅
✅
Databricks API token
✅
✅
Datadog Access Token
✅
✅
Defined Networking API token
✅
DigitalOcean OAuth Access Token
✅
DigitalOcean OAuth Refresh Token
✅
DigitalOcean Personal Access Token
✅
Discord API key
✅
Discord client ID
✅
Discord client secret
✅
Doppler API token
✅
Droneci Access Token
✅
Dropbox API secret
✅
Dropbox long lived API token
✅
Dropbox short lived API token
✅
Duffel API token
✅
Dynatrace API token
✅
EasyPost API token
✅
EasyPost test API token
✅
Etsy Access Token
✅
Facebook Access Token
✅
Fastly API key
✅
Finicity API token
✅
Finicity Client Secret
✅
Finicity Public Key
✅
Finnhub Access Token
✅
Flickr Access Token
✅
Flutterwave Encryption Key
✅
✅
Flutterwave Secret Key
✅
✅
Frame.io API token
✅
Freshbooks Access Token
✅
GCP Access Token
✅
✅
GCP API key
✅
✅
Generic API Key
✅
GitHub App Token
✅
✅
GitHub Fine-Grained Personal Access Token
✅
✅
GitHub OAuth Access Token
✅
✅
GitHub Personal Access Token
✅
✅
GitHub Refresh Token
✅
✅
GitLab Personal Access Token
✅
GitLab Pipeline Trigger Token
✅
GitLab Runner Registration Token
✅
Gitter Access Token
✅
GoCardless API token
✅
Grafana API key (or Grafana cloud API key)
✅
Grafana cloud API token
✅
Grafana Service Account Token
✅
HashiCorp Terraform user/org API token
✅
Heroku API Key
✅
HubSpot API Token
✅
Intercom API Token
✅
JFrog Artifactory
✅
✅
JSON Web Token
✅
✅
Kraken Access Token
✅
Kucoin Access Token
✅
Kucoin Secret Key
✅
Launchdarkly Access Token
✅
Linear API Token
✅
Linear Client Secret
✅
LinkedIn Client ID
✅
LinkedIn Client secret
✅
Lob API Key
✅
Lob Publishable API Key
✅
Mailchimp API key
✅
Mailgun private API token
✅
✅
Mailgun public validation key
✅
Mailgun webhook signing key
✅
MapBox API token
✅
Mattermost Access Token
✅
MessageBird API token
✅
MessageBird Client ID
✅
Microsoft Teams Webhook
✅
Netlify Access Token
✅
New Relic API Key
✅
New Relic ingest browser API token
✅
New Relic user API ID
✅
New Relic user API Key
✅
Npm Access Token
✅
✅
Nytimes Access Token
✅
Okta Access Token
✅
OpenAI API Key
✅
✅
Plaid API Token
✅
Plaid Client ID
✅
Plaid Secret key
✅
PlanetScale API token
✅
PlanetScale OAuth token
✅
PlanetScale password
✅
Postman API token
✅
Prefect API token
✅
Private Key
✅
✅
Pulumi API token
✅
PyPI upload token
✅
RapidAPI Access Token
✅
Readme API token
✅
Rubygem API token
✅
Sendbird Access ID
✅
Sendbird Access Token
✅
SendGrid API token
✅
✅
Sendinblue API token
✅
Sentry Access Token
✅
Shippo API token
✅
Shopify access token
✅
Shopify custom access token
✅
Shopify private app access token
✅
Shopify shared secret
✅
Sidekiq Secret
✅
Sidekiq Sensitive URL
✅
Slack App-level token
✅
Slack Bot token
✅
✅
Slack Configuration access token
✅
Slack Configuration refresh token
✅
Slack Legacy bot token
✅
Slack Legacy token
✅
Slack Legacy Workspace token
✅
Slack User
✅
Stripe API Token
✅
✅
Secret validation types
Arnica provides 3 primary validation outcomes, as described below.
Valid
Arnica performs various validation actions to identify the validity of each secret, such as authenticating with the identified credentials, non-intrusive fuzzing, querying DNS, and executing brute force attacks against offline resources (e.g. encrypted private keys).
Each secret type has a range of severities. For example, an encrypted private key would be classified as a medium severity, but if Arnica managed to brute force the passphrase to this encrypted private key, the secret will be classified as a high risk.
Invalid
Based on the validation logic explained above, it might be determined that a secret is no longer valid. For example, if the client id and secret of given AWS credentials cannot be used to successfully authenticate, Arnica will determine that the secret is invalid.
In most cases, invalid secrets would be classified as info severity.
None
While Arnica has many hardcoded secret validation types, certain secrets don't have validators, such as generic API keys - high entropy strings that can be potentially used to authenticate to various services.
The risk severity for such secrets will always be classified as unknown, as they require manual validation. Custom regex secrets defined by customers will have a pre-defined severity as specified in the regex configuration.
Excluded secrets and paths
False positive hardcoded secrets tend to be identified in many forked repositories, known test paths and file names.
Arnica includes pre-defined excluded paths and file names that are skipped in the detection and issue creation process. These files and paths can be configured or deleted in the policies page under the secrets configurations section.
Last updated
Was this helpful?