Detects any secret left exposed in the artifacts stored in Artifactory to stop any accidental leak of internal tokens or credentials. Xray scans your configuration, text, and binary files for plaintext credentials, private keys, tokens, and similar secrets. Xray uses a constantly updated list of more than 150 specific types of credentials. In addition, Xray uses a proprietary generic secrets matcher, for the best coverage possible. Xray also scans for issues in the certificates used in the software, such as expired or weak certificates.
Supported Scenarios
JFrog Secret detection currently supports the following scenarios:
JFrog Platform is for the following package types: Docker, Maven, npm, and PyPI. Additional supported Package types are coming soon.
Developer tools: IDE, CLI, Git (Frogbot).
Note
In the JFrog Platform both binaries and text files are being scanned for secrets.
In the IDE and Frogbot only text files are scanned.
In the CLI there are commands such as ‘jf audit’ that scan source code and look for secrets in text files, and other commands such as ‘jf docker scan’ that scan both binary and text files.
Supported Secrets Types
JFrog Secrets detection can detect the following types of secrets:
Access Tokens
This scanner detects access tokens with a well-defined structure, in either text or binary files. For example:
Platform | Example Token |
---|---|
AWS |
|
GitHub |
|
GitLab |
|
npm |
|
Slack |
|
Token Validation
Verify the validity of detected tokens by enabling Token Validation. This feature allows you to distinguish between active and inactive tokens by authenticating against the token provider.
To enable this feature, run the following REST API: Enable Token Validation for Secrets.
Once enabled, the results are presented in the violation's details under the Findings tab. To learn more about results, see View Exposure Scan Statuses and Results.
The Token Validation column statuses are:
Active: Token is valid and usable. It poses a potentially higher security risk if compromised.
Inactive: Token is inactive. For tokens associated with Self Hosted providers, our validation cannot determine their activity status.
Unsupported: Token provider is currently unsupported for validation.
Unavailable: Cannot validate due to unknown reasons.
The Metadata column:
For several providers, additional identification is coupled to the secret token (AWS has a Token ID associated with the Token Secret). Our scanners detect this additional identification and output it to the Metadata column.
Supported Providers
These are all the providers currently supported by this scanner. Some providers also support JFrog’s Token Validation.
Supported Provider | Token Validation Support |
---|---|
Adobe | Yes |
Age File Encryption | No |
Alibaba | Yes |
Artifactory | No |
AWS | Yes |
Azure | Yes |
Clojars | No |
Cloudflare | No |
Contentful | Yes |
Databricks | No |
DigitalOcean | Yes |
Doppler | Yes |
Dropbox | Yes |
Duffel | Yes |
Dynatrace | No |
Elastic | No |
Fastly | Yes |
Finicity | No |
Flutterwave | Yes |
GitHub | Yes |
GitLab | Yes |
Yes | |
Heroku | Yes |
Hubspot | No |
Intercom | No |
Jenkins | No |
Linear | Yes |
Mailchimp | Yes |
Mailgun | Yes |
Mapbox | Yes |
Messagebird | No |
New Relic | No |
npm | Yes |
NuGet | No |
Okta | No |
PayPal | Yes |
Planetscale | No |
Postman | Yes |
Postmark | Yes |
Pulumi | Yes |
PyPI | No |
Rubygems | Yes |
Sauce | No |
Searchgaurd | No |
Sendgrid | Yes |
Sendinblue | Yes |
Sentry | No |
Shippo | Yes |
Shodan | Yes |
Shopify | No |
Slack | Yes |
Snyk | Yes |
Sonar | No |
Square | No |
StackHawk | Yes |
Stripe | Yes |
Telegram | Yes |
Terraform | Yes |
Travis CI | No |
Trello | No |
Twilio | Yes |
Typeform | Yes |
Ubidots | Yes |
Detection Exceptions
The following access keys will not raise an alert by the scanners
Public example keys (AWS example - ANPAI65L554VRJ33ECQS6)
Keys in files residing in documentation directories (ex. "/usr/local/share/")
Keys that match any of the following case-insensitive patterns
.*xxxx.*
.*test.*
.*sample.*
.*example.*
.*token.*
*123456.*
.*abcdef.*
.*foobar.*
.*deadbeef.*
.*xxxxxx.*
.*1111111.*
.*0000000.*
Certificates/Private keys
JFrog Secret detection can detect issues in X.509 PEM (textual) and DER (binary) certificates and private keys :
Certificates containing private keys or standalone PEM/DER private keys
Expired certificates
Self-signed certificates
High Entropy Textual Secrets
JFrog Secret detection can detect secrets in the general form of “key = value” in textual files (incl. source files and configuration files) where:
“key” is a variable name indicative of a secret (for example “secret” or “password”)
“value” is a string with high entropy/randomness (ex. “d#@B2xN,Y}” and not “123123123”)
For example:
my_password: "CorrectHorseBatteryStaple123!"
Detection exceptions
JFrog employs several heuristics to avoid false positive results. The following textual secrets will not raise an alert by the scanners:
The key completely matches the string “key” (ex. “key = d#@B2xN,Y}”)
The value matches any of the following case-insensitive patterns
.*xxxx.*
.*test.*
.*sample.*
.*example.*
.*123456.*
.*abcdef.*
AKIA.*
The value contains a 6-character long sequence of the same character or consecutive characters (ex. “123456”)
Secrets in files residing in documentation directories (ex. "/usr/local/share/")
Secrets in 3rd-party files (ex. A file belonging to a 3rd-party npm package)
Secrets in files where the file path matches any of the following case-insensitive patterns
.*example.*
.*sample.*
URL Secrets
JFrog Secret detection can detect secrets in textual files where the secret is embedded in a URL (for example; https://myuser:mypass@somedomain.com)
Detection exceptions
The following URLs will not raise an alert by the scanners:
URLs that match any of the following case-insensitive patterns
.*example.*
.*foo.*
.*bar.*
.*example.*
.*sample.*
.*some.host.*
.*some.url.*
.*site.com.*
.*google.com.*
.*url.com.*
.*xyz.*
.*abc.*
.*domain.com.*
.*host.com.*
.*host.page.*
.*codecov.*
.*deepsource.*
.*shields.io.*
URLs where the authentication part matches any of the following case-insensitive patterns
.*user:pass.*
.*username.*
.*anonymous.*
.*test.*
.*foo.*
.*bar.*
.*example.*
.*myuser.*
.*baz.*
URLs that reference an image file (ex. URL ends with “.jpg”)