Arnica detects hardcoded secrets within all commits of each source code repository it scans, and defines the risk severity for each secret Identified. The risk severity is determined using Arnica's native validation logic or in the case of custom secrets, the severity is defined within the customer's custom regex detectors.
Arnica maintains a library of validators used to determine the validity, risk level and exploitability of each hardcoded secret. Once a secret has been identified and validated output from these validators is used to determine the severity and priority of the secret.
Arnica provides 3 primary validation outcomes, as described below.
Arnica performs various validation actions to identify the validity of each secret, such as authenticating with the identified credentials, non-intrusive fuzzing, querying DNS, and executing brute force attacks against offline resources (e.g. encrypted private keys).
Each secret type has a range of severities. For example, an encrypted private key would be classified as a
mediumseverity, but if Arnica managed to brute force the passphrase to this encrypted private key, the secret will be classified as a
Based on the validation logic explained above, it might be determined that a secret is no longer valid. For example, if the client id and secret of given AWS credentials cannot be used to successfully authenticate, Arnica will determine that the secret is invalid.
In most cases, invalid secrets would be classified as
While Arnica has many hardcoded secret validation types, certain secrets don't have validators, such as
generic API keys- high entropy strings that can be potentially used to authenticate to various services.
The risk severity for such secrets will always be classified as
unknown, as they require manual validation. Custom regex secrets defined by customers will have a pre-defined severity as specified in the regex configuration.
False positive hardcoded secrets tend to be identified in many forked repositories, known test paths and file names.
Arnica includes pre-defined excluded paths and file names that are skipped in the detection and issue creation process. These files and paths can be configured or deleted in the policies page under the secrets configurations section.