Secrets Scanning

You can use Code Security to detect and block secrets in IaC files stored in your IDEs, Git-based VCS, and CI/CD pipelines.
A secret is a programmatic access key that provides systems with access to information, services or assets. Developers use secrets such as API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and passphrases to enable their application to securely communicate with other cloud services.
For identifying secrets, Prisma Cloud provides default policies that use domain-specific and generic syntax to match on specific signatures and patterns to validate the likelihood or entropy of a string being a secret. You can view the scan results directly on
Code Security > Projects
, on the CLI if using Checkov, or in the IDE such as VSCode.
The following file types or extensions are scanned for secrets:
  • .yml, .yaml
  • .tf
  • .json
  • .bicep
  • build.gradle
  • build.gradle.kts
  • Dockerfile
  • gradle.properties
  • go.mod
  • go.sum
  • gemfile
  • pipfile.lock
  • requirements.txt
  • pom.xml
  • package.json
  • package-lock.json
  • yarn
  • yarn.lock

Suppress Secret Notifications

You have two ways to suppress notifications for a policy violation. You can either disable a policy or suppress a notification for a specific resource or repository. As an example, you do not want to be notified of a violation for issues on non-production environments, or for resources without specific tags.
  1. Select
    Code Security > Projects
    .
  2. Filter scan results.
    1. Add
      Category
      -
      Secrets
      .
    2. Add
      Status
      :
      Errors
      .
  3. Suppress
    the notification.
    You can select the specific resource, or resources that are assigned a specific tag, or suppress notifications for this policy violation across one or more repositories.

Recommended For You