Secrets module
The Secrets page lists every leaked credential found across buckets, volumes, repos, container images, databases, and serverless functions.
Columns
| Column | Notes |
|---|---|
| Risk | 0 to 100 colored circle. The default sort. |
| Severity | CRITICAL / HIGH / MEDIUM / LOW. |
| Type | The pattern category (cloud, saas, database, cryptographic, generic). |
| Name | Pattern name (e.g. AWS Access Key, GitHub PAT). |
| Location | Where the secret was found (bucket / file path / repo). |
| Resource | The cloud resource holding the location. |
| Snippet | A redacted sample of the matched value. |
| Validity | VALID, INVALID, UNKNOWN. |
Validity, the differentiator
Validity is what makes secrets findings actionable instead of overwhelming.
| Status | Meaning | Action |
|---|---|---|
VALID | The vendor confirmed the secret authenticates. | Treat as a live breach. Rotate and audit usage. The finding moves to RESOLVED on the next scan. |
INVALID | The vendor rejected the secret. | Probably leftover, scrub from git history. |
UNKNOWN | We did not validate. | Triage by hand: read context, decide. |
Validation runs read-only against the vendor's introspection endpoint (e.g. AWS STS
GetCallerIdentity, GitHub /user). It can be disabled per pattern.
Filters
- Severity, Status.
- Type: cloud, saas, database, cryptographic, generic.
- Validity: VALID / INVALID / UNKNOWN.
- Resource: narrow to one bucket / repo.
Detail panel
The panel shows:
- The full redacted snippet in monospace, highlighting the matched substring.
- The detected pattern with its rule key and confidence.
- Validity status and the API endpoint that was probed.
- Rotation procedure with vendor-specific steps.
- Historical git scrub instructions when the secret is in a repo (BFG, git-filter-repo).
- The full secret value is never stored. Only a hash and the redacted snippet.
Tips
- Filter validity = VALID first. That is your incident list. The rest is hygiene.
- Sort by Risk descending. Risk already accounts for validity, so this is the prioritised view in one click.
- Use
IGNOREwith reason for known test secrets. Always include the reason; future audits will want it.
What's next
- Secrets concept
- DSPM module, sibling detector for sensitive data