Secrets Analyzers [BETA]
This feature is currently in beta.
Two Slack API keys may seem to offer the same accesses, but their associated
permissions can differ significantly. If a secret with the permission
read:profile
is exposed, it will cause less harm than a secret with
read:everything
. It's important to share this information with users so they
can prioritize their remediation efforts.
The Secrets Analyzer feature offers additional context on detected secrets, including their roles and permissions, as well as relevant contextual information such as ownership and perimeter when found. This helps security teams evaluate the potential impact of a secret incident and effectively prioritize their remediation efforts.
Understanding the context of a secret is a game changer for assessing the impact of a secret incident, as it directly correlates to the possible damages in the event of a breach.
Activate the feature
The feature is not activated by default.
To enable it, navigate to Settings > Secrets > General
.
Once activated, the analyzer will immediately work on upcoming incidents but also existing incidents.
Helping Prioritize with a Built-in Saved View: Critical Scopes
To help you quickly identify incidents involving secrets with permissions that
require your immediate attention, we provide the built-in saved view
Critical Scopes
. This view filters for the most critical permissions
associated with the analyzers we currently implement.
In the future, we will update this saved view to include additional permissions as we add more analyzers.
What permissions does this saved view encompass ?
GitHub PAT Fine Grained
# Repo permissions
Administration:Read, ReadWrite
Contents:Read, ReadWrite
Environments:Read, ReadWrite
Secret scanning alerts:Read,ReadWrite
Secrets:Read, ReadWrite
# Accounts permissions
Codespaces user secrets:Read, ReadWrite
GPG keys: Read, ReadWrite
Git SSH keys: Read, ReadWriteGitHub PAT Classic
admin:org
repo
write:packages
write:org
delete:packages
read:org
admin:public_key
admin:org_hook
delete_repo
admin:enterprise
admin:gpg_key
admin:ssh_signing_keyGitlab PAT
api
read_repository
read_api
admin_mode
sudoStripe
credit_note_read
credit_note_write
coupon_read
promotion_code_read
terminal_reader_read
terminal_reader_write
secret_write
token_read
token_write
transfer_read
transfer_write
charge_read
charge_write
apple_pay_domain_read
apple_pay_domain_write
terminal_connection_token_write
New Filters for Navigating Incidents with Discovered Permissions
The Secret Scopes filter enables you to filter incidents based on the permissions associated with your secret. This lets you quickly identify incidents involving secrets with the most impactful permissions.
Additionally, the Secret Analyzer lets you filter incidents by their analyzer statuses, such as "Successful" and "Failed."
Current Analyzers
- GitHub PAT Fine Grained
- GitHub PAT Classic
- GitLab PAT
- Stripe
PostgreSQL
Slack Bot Token
- BitBucket App Password
- BitBucket Access Token
- MySQL URI