Secrets Scanning

Keeping hardocded secrets in your code or other assets of your organization is a vulnerability that may lead to exploitation. Spectral Secrets scanning helps you avoid hardcoding and sharing secrets in your assets with over 2500 built-in rules, including certificates, PEM files, API keys, passwords and much more.

Running Spectral secret scan is easy:

spectral scan

Or explicitly run the secrets engine:

spectral scan --engines secrets

If you'd like to see more results for maximum coverage:

spectral scan --include-tags base,audit,audit3

You can write your own custom rules to catch secrets we don't yet support or secrets that are specific to your domain. To learn how to write your own rules take a look here. For centrilized custom rules read here.

Key validation

Token as plain-text in your resources is bad practice, but when the token is valid, it's a huge security risk. For example, a valid GitHub token or AWS access & secret keys.
Spectral can test the validity of keys that was found by running the scan with the --validate flag:

spectral scan --validate