Skip to main content

Secrets Analyzers [BETA]

caution

This feature is currently in beta.

Two Slack API keys may seem to offer the same accesses, but their associated permissions can differ significantly. If a secret with the permission read:profile is exposed, it will cause less harm than a secret with read:everything. It's important to share this information with users so they can prioritize their remediation efforts.

The Secrets Analyzer feature offers additional context on detected secrets, including their roles and permissions, as well as relevant contextual information such as ownership and perimeter when found. This helps security teams evaluate the potential impact of a secret incident and effectively prioritize their remediation efforts.

Understanding the context of a secret is a game changer for assessing the impact of a secret incident, as it directly correlates to the possible damages in the event of a breach.

Activate the feature

The feature is not activated by default.

To enable it, navigate to Settings > Secrets > General.

Once activated, the analyzer will immediately work on upcoming incidents but also existing incidents.

Helping Prioritize with a Built-in Saved View: Critical Scopes

To help you quickly identify incidents involving secrets with permissions that require your immediate attention, we provide the built-in saved view Critical Scopes. This view filters for the most critical permissions associated with the analyzers we currently implement.

In the future, we will update this saved view to include additional permissions as we add more analyzers.

Secrets Analyzer Saved View

What permissions does this saved view encompass ?
  • GitHub PAT Fine Grained

    # Repo permissions
    Administration:Read, ReadWrite
    Contents:Read, ReadWrite
    Environments:Read, ReadWrite
    Secret scanning alerts:Read,ReadWrite
    Secrets:Read, ReadWrite

    # Accounts permissions
    Codespaces user secrets:Read, ReadWrite
    GPG keys: Read, ReadWrite
    Git SSH keys: Read, ReadWrite
  • GitHub PAT Classic

    admin:org
    repo
    write:packages
    write:org
    delete:packages
    read:org
    admin:public_key
    admin:org_hook
    delete_repo
    admin:enterprise
    admin:gpg_key
    admin:ssh_signing_key
  • Gitlab PAT

    api
    read_repository
    read_api
    admin_mode
    sudo
  • Stripe

    credit_note_read
    credit_note_write
    coupon_read
    promotion_code_read
    terminal_reader_read
    terminal_reader_write
    secret_write
    token_read
    token_write
    transfer_read
    transfer_write
    charge_read
    charge_write
    apple_pay_domain_read
    apple_pay_domain_write
    terminal_connection_token_write

New Filters for Navigating Incidents with Discovered Permissions

The Secret Scopes filter enables you to filter incidents based on the permissions associated with your secret. This lets you quickly identify incidents involving secrets with the most impactful permissions.

Additionally, the Secret Analyzer lets you filter incidents by their analyzer statuses, such as "Successful" and "Failed."

Secrets Analyzer Filters

Current Analyzers

  • GitHub PAT Fine Grained
  • GitHub PAT Classic
  • GitLab PAT
  • Stripe
  • PostgreSQL

  • Slack Bot Token

  • BitBucket App Password
  • BitBucket Access Token
  • MySQL URI

How can I help you ?