🕵️Secret Detection

Summary

Arnica detects hardcoded secrets within all commits of each source code repository it scans, and defines the risk severity for each secret Identified. The risk severity is determined using Arnica's native validation logic or in the case of custom secrets, the severity is defined within the customer's custom regex detectors.

Secret validation capabilities

Arnica maintains a library of validators used to determine the validity, risk level and exploitability of each hardcoded secret. Once a secret has been identified and validated output from these validators is used to determine the severity and priority of the secret.

Secret Support Matrix

Secret Type
Detection
Validation

Adafruit API Key

Adobe Client ID (OAuth Web)

Adobe Client Secret

Age secret key

Airtable API Key

Algolia API Key

Alibaba AccessKey ID

Alibaba Secret Key

Asana Client ID

Asana Client Secret

Atlassian API token

Auth0 Client Secret

Authress Service Client Access Key

AWS Access Token

Azure Storage

Azure Tenant ID and Access Key

Base64 Encoded GitHub Fine-Grained Personal Access Token

Base64 Encoded GitHub Personal Access Token

Beamer API token

Bitbucket Client ID

Bitbucket Client Secret

Bittrex Access Key

Bittrex Secret Key

CircleCI API Token

Clojars API token

Codecov Access Token

Coinbase Access Token

Confluent Access Token

Confluent Secret Key

Contentful delivery API token

CosmosDB Endpoint Access

Credentials in Web URL

Databricks API token

Datadog Access Token

Defined Networking API token

DigitalOcean OAuth Access Token

DigitalOcean OAuth Refresh Token

DigitalOcean Personal Access Token

Discord API key

Discord client ID

Discord client secret

Doppler API token

Droneci Access Token

Dropbox API secret

Dropbox long lived API token

Dropbox short lived API token

Duffel API token

Dynatrace API token

EasyPost API token

EasyPost test API token

Etsy Access Token

Facebook Access Token

Fastly API key

Finicity API token

Finicity Client Secret

Finicity Public Key

Finnhub Access Token

Flickr Access Token

Flutterwave Encryption Key

Flutterwave Secret Key

Frame.io API token

Freshbooks Access Token

GCP Access Token

GCP API key

Generic API Key

GitHub App Token

GitHub Fine-Grained Personal Access Token

GitHub OAuth Access Token

GitHub Personal Access Token

GitHub Refresh Token

GitLab Personal Access Token

GitLab Pipeline Trigger Token

GitLab Runner Registration Token

Gitter Access Token

GoCardless API token

Grafana API key (or Grafana cloud API key)

Grafana cloud API token

Grafana Service Account Token

HashiCorp Terraform user/org API token

Heroku API Key

HubSpot API Token

Intercom API Token

JFrog Artifactory

JSON Web Token

Kraken Access Token

Kucoin Access Token

Kucoin Secret Key

Launchdarkly Access Token

Linear API Token

Linear Client Secret

LinkedIn Client ID

LinkedIn Client secret

Lob API Key

Lob Publishable API Key

Mailchimp API key

Mailgun private API token

Mailgun public validation key

Mailgun webhook signing key

MapBox API token

Mattermost Access Token

MessageBird API token

MessageBird Client ID

Microsoft Teams Webhook

Netlify Access Token

New Relic API Key

New Relic ingest browser API token

New Relic user API ID

New Relic user API Key

Npm Access Token

Nytimes Access Token

Okta Access Token

OpenAI API Key

Plaid API Token

Plaid Client ID

Plaid Secret key

PlanetScale API token

PlanetScale OAuth token

PlanetScale password

Postman API token

Prefect API token

Private Key

Pulumi API token

PyPI upload token

RapidAPI Access Token

Readme API token

Rubygem API token

Sendbird Access ID

Sendbird Access Token

SendGrid API token

Sendinblue API token

Sentry Access Token

Shippo API token

Shopify access token

Shopify custom access token

Shopify private app access token

Shopify shared secret

Sidekiq Secret

Sidekiq Sensitive URL

Slack App-level token

Slack Bot token

Slack Configuration access token

Slack Configuration refresh token

Slack Legacy bot token

Slack Legacy token

Slack Legacy Workspace token

Slack User

Stripe API Token

Secret validation types

Arnica provides 3 primary validation outcomes, as described below.

Valid

Arnica performs various validation actions to identify the validity of each secret, such as authenticating with the identified credentials, non-intrusive fuzzing, querying DNS, and executing brute force attacks against offline resources (e.g. encrypted private keys).

Each secret type has a range of severities. For example, an encrypted private key would be classified as a medium severity, but if Arnica managed to brute force the passphrase to this encrypted private key, the secret will be classified as a high risk.

Invalid

Based on the validation logic explained above, it might be determined that a secret is no longer valid. For example, if the client id and secret of given AWS credentials cannot be used to successfully authenticate, Arnica will determine that the secret is invalid.

In most cases, invalid secrets would be classified as info severity.

None

While Arnica has many hardcoded secret validation types, certain secrets don't have validators, such as generic API keys - high entropy strings that can be potentially used to authenticate to various services.

The risk severity for such secrets will always be classified as unknown, as they require manual validation. Custom regex secrets defined by customers will have a pre-defined severity as specified in the regex configuration.

Excluded secrets and paths

False positive hardcoded secrets tend to be identified in many forked repositories, known test paths and file names.

Arnica includes pre-defined excluded paths and file names that are skipped in the detection and issue creation process. These files and paths can be configured or deleted in the policies page under the secrets configurations section.

Last updated

Was this helpful?