Secrets Scanning

You can use Code Security to detect and block secrets in files in your IDEs, VCS repositories, and CI/CD pipelines.
A secret is a programmatic access key that provides systems with access to information, services or assets. Developers use secrets such as API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and passphrases to enable their application to securely communicate with other cloud services.
For identifying secrets, Prisma Cloud provides default policies that use domain-specific and generic syntax to match on specific signatures and patterns to validate the likelihood or entropy of a string being a secret. You can view the scan results directly on
Code Security > Projects
, on the CLI if using Checkov, or in the IDE such as VSCode.

Validate Secrets

When scanning for secrets, Prisma Cloud can validate secrets against public APIs to verify if the secret is still active so that you can prioritize and handle exposed secrets quickly.
By default the validation of secrets is disabled and you can choose to enable the validation for secrets scan from
Settings > Code Security Configuration > Validate Secrets
Additionally, you can choose to run Checkov on your repositories to filter valid secrets that may be potentially exposed. To see a list of potentially exposed secrets you need to add an environment variable CKV_VALIDATE_SECRETS=true after enabling Validate Secrets.
In this example, you see a secret that is valid and requires to be prioritized in the repository after running Checkov on the terminal.
You can see the scan results of secrets after validation on
Projects > Secrets
and then use
Resource Explorer
to prioritize a valid secret by either a
or by performing a
Manual Fix
on the secret.

Suppress Secret Notifications

By suppressing a notification for secrets you are choosing to no longer receive any information on a violation related to the suppressed secret. To suppress a notification you are required to define a suppression rule by adding a justification with an expiration time.
  1. Select
    Code Security > Projects > Secrets
  2. Configure a suppression rule for a secret.
    1. Select a secret and then
      In this example, AWS Secret Keys are invalid in GitHub actions repository.
    2. Add a
      with the
      Expiration Time
      Optionally, you can choose a
      Manual Fix
      to resolve the secret violation.
  3. Select

Recommended For You