Skip to main content

Secret Detection

Overview

Checkmarx Secret Detection reduces risk by quickly identifying sensitive credentials that may be exposed, enabling your development and security teams to quickly remove and change the discovered secrets.

Key Features

  • Powerful Secret Detection – Checkmarx identifies more than 170 different types of login credentials, access tokens, encryption keys, API keys, SSH keys, webhook URLs, and other unsecured sensitive information. 

  • Automatic Secret Validation – To prioritize remediation efforts, the system automatically attempts to determine if discovered secrets are still valid and operative. 

  • Automatic and Manual Scan Initiation – Scanning for exposed secrets can be initiated automatically at specific SDLC stages via SCM integration and on demand via integrated IDE, CLI, API, and the Checkmarx One UI.  

  • Developer-Friendly Workflows – Developers can initiate scans for exposed secrets, review results, and receive remediation guidance – all within their IDE.

Rules

The following table shows the list of rules that are used to detect various types of secrets.

Running Scans

Secret Detection can be run on your Checkmarx One projects via web application, CLI or REST API. It is also possible to set up a code repository integration that automatically triggers a scan whenever a pull request or push event occurs in the SCM. You can also run scans directly from your IDE (currently supported for VS Code). Learn more about running scans here.

Viewing Results

Secret Detection results are shown under the Software Supply Chain tab in your Workspace Workspace.png. See Viewing SCS Results

Notice

Alternatively, you can access the results for a specific project by opening the SCS results viewer for that project from the Projects tab.

Viewing Secret Detection Results

When the Secret Detection scanner is selected in the SCS results viewer, results are grouped by the type of secret detected. When you click on a type, a list of risks of that type is shown.

Image_1258.png

The following table describes the information shown for each risk.

Item

Description

Severity

The severity of the risk.

Tip

The severity for detected secrets is generally set as High. However, when the validity test is run (i.e. for supported secret types), valid secrets are set as Critical and invalid secrets are set as Medium.

File/Artifact

The path to the file or artifact in which the secret was detected.

Location

The line in which the secret was detected.

Validity

Indicates whether or not the secret is currently valid.

Remediation

Shows a few characters of the detected secret, with the remaining characters masked for security purposes. The recommended remediation for detected secrets is to first remove the secret from your file and then to change the secret.