Static analysis secrets scanning
When enabled, AppScan on Cloud scans source code and configuration files for secrets: sensitive information, including usernames, passwords, authentication tokens, credit card numbers, Social Security Numbers (SSN), and other items of specific platforms and providers listed below.
Secrets scanning is enabled and disabled at the
organization level. However, individual scans can override the organizational level
setting using secrets-related
appscan
prepare or appscan.sh
prepare options:- When secrets are enabled at the organization level:
- Use
-ds, --disableSecretswithappscan prepareorappscan.sh prepareto disable secrets scanning. - Use
-so, -secretsOnlywithappscan prepareorappscan.sh prepareto scan for secrets only when running a source code-only scan.
- Use
- When secrets are disabled at the organization level:
- Use
-es, --enableSecretsor-so, --secretsOnlywithappscan prepareorappscan.sh prepareto enable secrets scanning. - Use
-so, -secretsOnlywithappscan prepareorappscan.sh prepareto scan for secrets only when running a source code-only scan.
- Use
AppScan on Cloud supports scanning of secrets for the following platforms and providers:
| Provider/Platform | Secret |
|---|---|
| Alibaba Cloud | alibaba_cloud_access_key_id |
| Alibaba Cloud | alibaba_cloud_access_key_secret |
| AWS | aws_access_key_id |
| AWS | aws_secret_access_key |
| AWS | aws_session_token |
| Atlassian | atlassian_api_token |
| Atlassian | atlassian_jwt |
| Azure | azure_cosmosdb_key_identifiable |
| Azure | Azure CosmosDB connection string |
| Azure | azure_devops_personal_access_token |
| Azure | azure_sas_token |
| Azure | azure_search_admin/query_key |
| Azure | azure_sql_connection_string |
| Azure | azure_storage_account_key |
| Azure | Azure storage account connection string |
| DataBricks | databricks_access_token |
| GitHub | github_oauth_access_token |
| GitHub | github_personal_access_token |
| GitHub | github_refresh_token |
| Google Cloud | google_api_key |
| Google Cloud | google_cloud_private_key_id |
| Hashicorp | Hard-coded HashiCorpVault tokens |
| Hasicorp | AppRole authentication (RoleID and
SecretID) formats |
| Open AI | openai_api_key |
| Stripe | stripe_live_restricted_key |
| Stripe | stripe_live_secret_key |
| Stripe | stripe_test_restricted_key |
| Stripe | stripe_test_secret_key |
| mongodb | API authentication |
| mongodb | Connection URL |
| Jenkins | Jenkins password/passphrase |
Note: To scan for secrets when scanning Java or .NET, you must apply
the
sourceCodeOnly option. ASoC will not scan
for secrets against Java bytecode
(.jar/.war/.ear/.class
files) or .NET assemblies (.dll/.exe files)