Skip to main content

Secrets Scanning

Lacework’s Software Composition Analysis (SCA) tool can detect secrets found in your software project files. Secrets scanning can help ensure the security posture and integrity of your software is not compromised.

Lacework’s SCA tool can be configured to identify and report abnormal or compromised secrets, such as tokens or keys. Secrets scanning helps ensure that unauthorized users or components do not have access to your software projects.

Run SCA to Scan for Secrets

To scan for secrets in your software project, use the -secret flag with your SCA command.

Create a Custom Scan for Secrets

To create a custom scan for secrets in your code project, for example, to scan for secrets matching a specific path, you must configure the sca.config.yaml file. You can use our example configuration as a template, or create your own.

The sca.config.yaml File

Lacework SCA currently relies on a YAML-based configuration. The advantage of the YAML-based configuration is that you can create custom rules for secrets. These rules can help you search for patterns, abnormal, or matching secrets. In the future, we plan to have a UI-based policy management system.

By default, Lacework SCA looks in the following directory for the config.yaml file: <SCAN_DIR>/.lacework/codesec.yaml

Example Configuration

The following code block is an example configuration to scan for a specific secrets path:

default:
  sca:
    secret: true
    license-categories-not-allowed: [ forbidden, restricted ]
    custom-secrets:
      - id: rule1
        category: general
        title: Generic Rule
        severity: HIGH
        regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
note

The above example features our SCA License Scanning.

Create an SCA Secret Scan Configuration

A custom rule for secrets scanning must include the following information:

  • id - an identifier for the rule.
  • category - the string category you create for the rule
  • title - a name for the rule.
  • severity - the severity assigned to the rule (CRITICAL, HIGH, MEDIUM, LOW, INFO)
  • regex - Golang expression for secret detection.

Detectable Secrets

The following table details the available secret categories and the secrets they detect:

CategoryDetectable Secrets
AWS
  • AWS Access Key ID
  • AWS Secret Access Key
  • AWS Account ID
GitHub
  • GitHub Personal Access Token
  • GitHub OAuth Access Token
  • GitHub App Token
  • GitHub Refresh Token
GitLab
  • GitLab Personal Access Token
AsymmetricPrivateKey
  • Asymmetric Private Key
Shopify
  • Shopify Token
Slack
  • Slack Token
  • Slack Webhook
Google
  • Google Service-account
Stripe
  • Stripe Publishable Key
  • Stripe Secret Key
PyPI
  • PyPI Upload Token
Heroku
  • Heroku API Key
Twilio
  • Twilio API Key
Age
  • Age Secret Key
Facebook
  • Facebook Token
Twitter
  • Twitter Token
Adobe
  • Adobe Client ID (Oauth Web)
  • Adobe Client Secret
Alibaba
  • Alibaba AccessKey ID
  • Alibaba Secret Key
Asana
  • Asana Client ID
  • Asana Client Secret
Atlassian
  • Atlassian API Token
Bitbucket
  • Bitbucket Client ID
  • Bitbucket Client Secret
Beamer
  • Beamer API Token
Clojars
  • Clojars API Token
ContentfulDelivery
  • Contentful Delivery API Token
DATABASE
  • MongoDB connection string
  • MySQL connection string
  • Postgres connection string
Databricks
  • Databricks API Token
Discord
  • Discord API Key
  • Discord Client ID
  • Discord Client Secret
Doppler
  • Doppler API Token
Dropbox
  • Dropbox API Secret/Key
  • Dropbox Short Lived API Token
  • Dropbox Long Lived API Token
Duffel
  • Duffel API Token
Dynatrace
  • Dynatrace API Token
Easypost
  • EasyPost API Token
Fastly
  • Fastly API Token
Finicity
  • Finicity Client Secret
  • Finicity API Token
Flutterwave
  • Flutterwave Public/Secret Key
  • Flutterwave Encrypted Key
Frameio
  • Frame.io API Token
GoCardless
  • GoCardless API Token
Grafana
  • Grafana API Token
HashiCorp
  • HashiCorp Terraform User/Org API Token
HTTP
  • HTTP basic authentication header
  • HTTP bearer authentication header
HubSpot
  • HubSpot API Token
Intercom
  • Intercom API Token
  • Intercom Client Secret/ID
Ionic
  • Ionic API Token
Linear
  • Linear API Token
  • Linear Client Secret/ID
Lob
  • Lob API Key
  • Lob Publishable API Key
Mailchimp
  • Mailchimp API Key
Mailgun
  • Mailgun Private API Token
  • Mailgun Webhook Signing Key
Mapbox
  • Mapbox API Token
MessageBird
  • MessageBird API Token
  • MessageBird API Client ID
NewRelic
  • New Relic User API Key
  • New Relic User API ID
  • New Relic Ingest Browser API Token
Npm
  • npm Access Token
Planetscale
  • PlanetScale Password
  • PlanetScale API Token
Postman
  • Postman API Token
Pulumi
  • Pulumi API Token
RubyGems
  • Rubygem API Token
SendGrid
  • SendGrid API Token
Sendinblue
  • Sendinblue API Token
Shippo
  • Shippo API Token
LinkedIn
  • LinkedIn Client Secret
  • LinkedIn Client ID
Twitch
  • Twitch API Token
Typeform
  • Typeform API Token