Secrets Scanning
Table of Contents
Secrets Scanning
You can use Application Security to detect and block secrets in files in your IDEs, VCS repositories, and CI/CD pipelines.
A secret is a programmatic access key that provides systems with access to information, services or assets. Developers use secrets such as API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and passphrases to enable their application to securely communicate with other cloud services.
For identifying secrets, Prisma Cloud provides default policies that use domain-specific and generic syntax to match on specific signatures and patterns to validate the likelihood or entropy of a string being a secret. You can view the scan results directly on
Application Security > Projects
, on the CLI if using Checkov, or in the IDE such as VSCode.
Validate Secrets
When scanning for secrets, Prisma Cloud can validate secrets against public APIs to verify if the secret is still active so that you can prioritize and handle exposed secrets quickly.
By default the validation of secrets is disabled and you can choose to enable the validation for secrets scan from
Settings > Application Security Configuration > Validate Secrets
.Additionally, you can choose to run Checkov on your repositories to filter valid secrets that may be potentially exposed. To see a list of potentially exposed secrets you need to add an environment variable CKV_VALIDATE_SECRETS=true after enabling Validate Secrets.
In this example, you see a secret that is valid and requires to be prioritized in the repository after running Checkov on the terminal.
You can see the scan results of secrets after validation on
Projects > Secrets
and then use Resource Explorer
to prioritize a valid secret by either a Suppress
or by performing a Manual Fix
on the secret.
Git History for Secrets
Secrets deleted from a file can still be found in the git history of the repository and abused. Prisma Cloud can search through git history for those secrets and notify you even when the secret is no longer in the most recent commit.
By default git history scanning is disabled and you can choose to enable the validation for secrets scan from
Settings > Application Security Configuration > Scan Git History for Secrets
. Results of secrets scanning will show up on the Projects page
Git history scanning through the VCS integrations is only supported for repositories up to 4GB in size.
Additionally, you can scan your git history without saving the results to the Prisma Cloud platform using Checkov locally by using the --scan-secrets-history flag. By default, there is not a timeout, but one can be set with --secrets-history-timeout TIME. Scans are performed in chunks and partial scans of chunks will not be saved.
Suppress Secret Notifications
By suppressing a notification for secrets you are choosing to no longer receive any information on a violation related to the suppressed secret. To suppress a notification you are required to define a suppression rule by adding a justification with an expiration time.
- SelectApplication Security > Projects > Secrets.
- Configure a suppression rule for a secret.
- Select a secret and thenSuppress.In this example, AWS Secret Keys are invalid in GitHub actions repository.
- Add aJustificationwith theExpiration Time.
Optionally, you can choose aManual Fixto resolve the secret violation.
- SelectSave.