Secrets Scanning
Keeping hardocded secrets in your code or other assets of your organization is a vulnerability that may lead to exploitation. Spectral Secrets scanning helps you avoid hardcoding and sharing secrets in your assets with over 2500 built-in rules, including certificates, PEM files, API keys, passwords and much more.
Running Spectral secret scan is easy:
spectral scan
Or explicitly run the secrets
engine:
spectral scan --engines secrets
If you'd like to see more results for maximum coverage:
spectral scan --include-tags base,audit,audit3
You can write your own custom rules to catch secrets we don't yet support or secrets that are specific to your domain. To learn how to write your own rules take a look here. For centrilized custom rules read here.
Key validation
Token as plain-text in your resources is bad practice, but when the token is valid, it's a huge security risk. For example, a valid GitHub token or AWS access & secret keys.
Spectral can test the validity of keys that was found by running the scan with the --validate flag:
spectral scan --validate
Updated 13 days ago