1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Code Security
    5. Scan and Monitor
    6. Secrets Scanning

    Secrets Scanning

    You can use Code Security to detect and block secrets in files in your IDEs, VCS repositories, and CI/CD pipelines.
    A secret is a programmatic access key that provides systems with access to information, services or assets. Developers use secrets such as API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and passphrases to enable their application to securely communicate with other cloud services.
    For identifying secrets, Prisma Cloud provides default policies that use domain-specific and generic syntax to match on specific signatures and patterns to validate the likelihood or entropy of a string being a secret. You can view the scan results directly on
    Code Security > Projects
    , on the CLI if using Checkov, or in the IDE such as VSCode.

    Validate Secrets

    When scanning for secrets, Prisma Cloud can validate secrets against public APIs to verify if the secret is still active so that you can prioritize and handle exposed secrets quickly.
    By default the validation of secrets is disabled and you can choose to enable the validation for secrets scan from
    Settings > Code Security Configuration > Validate Secrets
    .
    Additionally, you can choose to run Checkov on your repositories to filter valid secrets that may be potentially exposed. To see a list of potentially exposed secrets you need to add an environment variable CKV_VALIDATE_SECRETS=true after enabling Validate Secrets.
    In this example, you see a secret that is valid and requires to be prioritized in the repository after running Checkov on the terminal.
    You can see the scan results of secrets after validation on
    Projects > Secrets
     and then use
    Resource Explorer
     to prioritize a valid secret by either a
    Suppress
     or by performing a
    Manual Fix
     on the secret.

    Suppress Secret Notifications

    By suppressing a notification for secrets you are choosing to no longer receive any information on a violation related to the suppressed secret. To suppress a notification you are required to define a suppression rule by adding a justification with an expiration time.
    1. Select
      Code Security > Projects > Secrets
      .
    2. Configure a suppression rule for a secret.
      1. Select a secret and then
        Suppress
        .
        In this example, AWS Secret Keys are invalid in GitHub actions repository.
      2. Add a
        Justification
         with the
        Expiration Time
        .
        Optionally, you can choose a
        Manual Fix
         to resolve the secret violation.
    3. Select
      Save
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo