Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security (IaC)
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Summary
  • Secret validation capabilities
  • Secret Support Matrix
  • Secret validation types
  • Valid
  • Invalid
  • None
  • Excluded secrets and paths

Was this helpful?

  1. Hardcoded Secrets

Secret Detection

PreviousPrioritization & Product OwnershipNextRealtime Secret Mitigation

Last updated 7 days ago

Was this helpful?

Summary

Arnica detects hardcoded secrets within all commits of each source code repository it scans, and defines the risk severity for each secret Identified. The risk severity is determined using Arnica's native validation logic or in the case of custom secrets, the severity is defined within the customer's detectors.

Secret validation capabilities

Arnica maintains a library of validators used to determine the validity, risk level and exploitability of each hardcoded secret. Once a secret has been identified and validated output from these validators is used to determine the severity and priority of the secret.

Secret Support Matrix

Secret Type
Detection
Validation

Adafruit API Key

✅

Adobe Client ID (OAuth Web)

✅

Adobe Client Secret

✅

Age secret key

✅

Airtable API Key

✅

Algolia API Key

✅

Alibaba AccessKey ID

✅

Alibaba Secret Key

✅

Asana Client ID

✅

Asana Client Secret

✅

Atlassian API token

✅

Auth0 Client Secret

✅

✅

Authress Service Client Access Key

✅

AWS Access Token

✅

✅

Azure Storage

✅

✅

Azure Tenant ID and Access Key

✅

✅

Base64 Encoded GitHub Fine-Grained Personal Access Token

✅

✅

Base64 Encoded GitHub Personal Access Token

✅

✅

Beamer API token

✅

Bitbucket Client ID

✅

Bitbucket Client Secret

✅

Bittrex Access Key

✅

Bittrex Secret Key

✅

CircleCI API Token

✅

✅

Clojars API token

✅

Codecov Access Token

✅

Coinbase Access Token

✅

Confluent Access Token

✅

Confluent Secret Key

✅

Contentful delivery API token

✅

CosmosDB Endpoint Access

✅

✅

Credentials in Web URL

✅

✅

Databricks API token

✅

✅

Datadog Access Token

✅

✅

Defined Networking API token

✅

DigitalOcean OAuth Access Token

✅

DigitalOcean OAuth Refresh Token

✅

DigitalOcean Personal Access Token

✅

Discord API key

✅

Discord client ID

✅

Discord client secret

✅

Doppler API token

✅

Droneci Access Token

✅

Dropbox API secret

✅

Dropbox long lived API token

✅

Dropbox short lived API token

✅

Duffel API token

✅

Dynatrace API token

✅

EasyPost API token

✅

EasyPost test API token

✅

Etsy Access Token

✅

Facebook Access Token

✅

Fastly API key

✅

Finicity API token

✅

Finicity Client Secret

✅

Finicity Public Key

✅

Finnhub Access Token

✅

Flickr Access Token

✅

Flutterwave Encryption Key

✅

✅

Flutterwave Secret Key

✅

✅

Frame.io API token

✅

Freshbooks Access Token

✅

GCP Access Token

✅

✅

GCP API key

✅

✅

Generic API Key

✅

GitHub App Token

✅

✅

GitHub Fine-Grained Personal Access Token

✅

✅

GitHub OAuth Access Token

✅

✅

GitHub Personal Access Token

✅

✅

GitHub Refresh Token

✅

✅

GitLab Personal Access Token

✅

GitLab Pipeline Trigger Token

✅

GitLab Runner Registration Token

✅

Gitter Access Token

✅

GoCardless API token

✅

Grafana API key (or Grafana cloud API key)

✅

Grafana cloud API token

✅

Grafana Service Account Token

✅

HashiCorp Terraform user/org API token

✅

Heroku API Key

✅

HubSpot API Token

✅

Intercom API Token

✅

JFrog Artifactory

✅

✅

JSON Web Token

✅

✅

Kraken Access Token

✅

Kucoin Access Token

✅

Kucoin Secret Key

✅

Launchdarkly Access Token

✅

Linear API Token

✅

Linear Client Secret

✅

LinkedIn Client ID

✅

LinkedIn Client secret

✅

Lob API Key

✅

Lob Publishable API Key

✅

Mailchimp API key

✅

Mailgun private API token

✅

✅

Mailgun public validation key

✅

Mailgun webhook signing key

✅

MapBox API token

✅

Mattermost Access Token

✅

MessageBird API token

✅

MessageBird Client ID

✅

Microsoft Teams Webhook

✅

Netlify Access Token

✅

New Relic API Key

✅

New Relic ingest browser API token

✅

New Relic user API ID

✅

New Relic user API Key

✅

Npm Access Token

✅

✅

Nytimes Access Token

✅

Okta Access Token

✅

OpenAI API Key

✅

✅

Plaid API Token

✅

Plaid Client ID

✅

Plaid Secret key

✅

PlanetScale API token

✅

PlanetScale OAuth token

✅

PlanetScale password

✅

Postman API token

✅

Prefect API token

✅

Private Key

✅

✅

Pulumi API token

✅

PyPI upload token

✅

RapidAPI Access Token

✅

Readme API token

✅

Rubygem API token

✅

Sendbird Access ID

✅

Sendbird Access Token

✅

SendGrid API token

✅

✅

Sendinblue API token

✅

Sentry Access Token

✅

Shippo API token

✅

Shopify access token

✅

Shopify custom access token

✅

Shopify private app access token

✅

Shopify shared secret

✅

Sidekiq Secret

✅

Sidekiq Sensitive URL

✅

Slack App-level token

✅

Slack Bot token

✅

✅

Slack Configuration access token

✅

Slack Configuration refresh token

✅

Slack Legacy bot token

✅

Slack Legacy token

✅

Slack Legacy Workspace token

✅

Slack User

✅

Stripe API Token

✅

✅

Secret validation types

Arnica provides 3 primary validation outcomes, as described below.

Valid

Arnica performs various validation actions to identify the validity of each secret, such as authenticating with the identified credentials, non-intrusive fuzzing, querying DNS, and executing brute force attacks against offline resources (e.g. encrypted private keys).

Each secret type has a range of severities. For example, an encrypted private key would be classified as a medium severity, but if Arnica managed to brute force the passphrase to this encrypted private key, the secret will be classified as a high risk.

Invalid

Based on the validation logic explained above, it might be determined that a secret is no longer valid. For example, if the client id and secret of given AWS credentials cannot be used to successfully authenticate, Arnica will determine that the secret is invalid.

In most cases, invalid secrets would be classified as info severity.

None

While Arnica has many hardcoded secret validation types, certain secrets don't have validators, such as generic API keys - high entropy strings that can be potentially used to authenticate to various services.

Excluded secrets and paths

False positive hardcoded secrets tend to be identified in many forked repositories, known test paths and file names.

The risk severity for such secrets will always be classified as unknown, as they require manual validation. secrets defined by customers will have a pre-defined severity as specified in the regex configuration.

Arnica includes pre-defined excluded paths and file names that are skipped in the detection and issue creation process. These files and paths can be configured or deleted in the under the secrets configurations section.

🕵️
policies page
custom regex
Custom regex