Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Summary
  • Secret validation capabilities
  • Secret validation types
  • Excluded secrets and paths

Was this helpful?

  1. Hardcoded Secrets

Secret Detection

Summary

Arnica detects hardcoded secrets within all commits of each source code repository it scans, and defines the risk severity for each secret Identified. The risk severity is determined using Arnica's native validation logic or in the case of custom secrets, the severity is defined within the customer's custom regex detectors.

Secret validation capabilities

Arnica maintains a library of validators used to determine the validity, risk level and exploitability of each hardcoded secret. Once a secret has been identified and validated output from these validators is used to determine the severity and priority of the secret.

Secret validation types

Arnica provides 3 primary validation outcomes, as described below.

Valid

Arnica performs various validation actions to identify the validity of each secret, such as authenticating with the identified credentials, non-intrusive fuzzing, querying DNS, and executing brute force attacks against offline resources (e.g. encrypted private keys).

Each secret type has a range of severities. For example, an encrypted private key would be classified as a medium severity, but if Arnica managed to brute force the passphrase to this encrypted private key, the secret will be classified as a high risk.

Invalid

Based on the validation logic explained above, it might be determined that a secret is no longer valid. For example, if the client id and secret of given AWS credentials cannot be used to successfully authenticate, Arnica will determine that the secret is invalid.

In most cases, invalid secrets would be classified as info severity.

None

While Arnica has many hardcoded secret validation types, certain secrets don't have validators, such as generic API keys - high entropy strings that can be potentially used to authenticate to various services.

The risk severity for such secrets will always be classified as unknown, as they require manual validation. Custom regex secrets defined by customers will have a pre-defined severity as specified in the regex configuration.

Excluded secrets and paths

False positive hardcoded secrets tend to be identified in many forked repositories, known test paths and file names.

Arnica includes pre-defined excluded paths and file names that are skipped in the detection and issue creation process. These files and paths can be configured or deleted in the policies page under the secrets configurations section.

PreviousPrioritization & Product OwnershipNextRealtime Secret Mitigation

Last updated 7 months ago

Was this helpful?

🕵️