Code Secrets - Appendix

Overview

This article lists the various types of secrets detected by Mend SAST as part of the secret detection.

Supported Secrets

Cloud Provider Access Tokens and Secrets

These represent credentials that grant access to cloud environments:

• AWS

  • Access Key ID

  • Secret Access Key

  • Account ID

• Azure DevOps

  • Azure Database for PostgreSQL / MySQL / MariaDB

  • Azure Cosmos DB connection string

  • Azure Storage account connection string

  • Azure Storage SAS token

  • Azure AD Client Secret (new Q~ format)

  • Azure Active Directory Access Token

  • Azure App Configuration Access Key

  • Azure App Service deployment password

  • Azure Databricks Personal Access Token

  • Azure SignalR Access Key

  • Azure Communication Services Access Key

  • Azure Maps Subscription Key

  • Azure Web PubSub Access Key

  • Azure Redis Cache password

  • Azure IoT Shared Access Key

  • Azure Shared Access Signature (generic SAS)

  • Azure Logic App SAS URL

  • Azure Service Bus SAS

• Google Cloud Platform (GCP)

  • Service account credentials

• Alibaba Cloud

  • Access Key ID

  • Secret Key

• Heroku

  • API Key

• HashiCorp

  • Terraform API Token

• Pulumi

  • API Token

• PlanetScale

  • API Token

  • Password

Asymmetric & Encryption Keys

These are used for securing communications or authentication:

• Asymmetric Private Keys

  • PEM-formatted keys like RSA, DSA, EC, etc.

• Age

  • AGE-SECRET-KEY for file encryption

Committed Certificate and Private-Key Files

In addition to detecting key material embedded in code, Mend SAST flags certificate and private-key files committed directly to source control:

• PEM private key files (.pem, .key) — flagged when the file contains a -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- header.

• PFX / PKCS#12 certificate containers (.pfx, .p12) — committing these files to source control is always a misconfiguration, regardless of whether the contents are readable. These generate a distinct finding: "Certificate bundle committed to source control."

API Provider Tokens

These provide access to various SaaS provider APIs:

• GitHub (PAT, OAuth, App Token, Refresh Token)

• GitLab (PAT)

• Stripe (Publishable & Secret Keys)

• Slack (Access Token, Webhook)

• Twilio (API Key)

• Mailgun (API Key, Signing Key)

• SendGrid, Sendinblue, Postman, Databricks, Dropbox, Shippo, Lob, Typeform, etc.

• New Relic (User API Key, Browser Token)

• Dynatrace, Intercom, Linear, Bitbucket, Atlassian, Fastly, Clojars, Contentful, etc.

This includes a large number of specific SaaS provider keys (see “Custom API Providers” below for exhaustive list).

OAuth Clients and Secrets

Used for applications performing OAuth authentication:

• Adobe

  • Client ID & Secret

• Asana

  • Client ID & Secret

• Atlassian

  • API Token

• Bitbucket

  • Client ID & Secret

• Discord

  • Client ID, Secret, and API Key

• Facebook

  • Token

• Twitter

  • Token

• LinkedIn

  • Client ID & Secret

• Intercom

  • Client Secret

Custom or Lesser-known API Provider Tokens

These include vendor-specific or niche services:

• Shopify

• PyPI

• Doppler

• Beamer

• Clojars

• Contentful

• Databricks

• Discord

• Duffel

• Easypost

• Finicity

• Flutterwave

• Frame.io

• GoCardless

• Grafana

• HubSpot

• Ionic

• Linear

• Mailchimp

• Mapbox

• MessageBird

• Npm

• Postman

• RubyGems

• SendGrid

• Sendinblue

• Shippo

• Twitch

Miscellaneous Secrets

These may not fit standard categories but are covered by specific regex rules:

• Private Signing Keys

• Webhook URLs (e.g., Slack Webhooks)

• JWT-style or Bearer tokens embedded in code

CI/CD and Package Registry Tokens

These secrets are used to authenticate with build, deployment, or artifact management systems:

• PyPI – Upload token

• Clojars – API token

• npm – Access token

• RubyGems – API token

• GitHub & GitLab – Personal Access Tokens (used in CI/CD)

• Pulumi, Terraform (HashiCorp) – Infrastructure as Code deployment tokens

These secrets are often embedded in build pipelines to publish or pull packages or deploy services.

Webhook Signing Keys

These are used to verify the integrity of incoming webhooks:

• Mailgun – Webhook signing key

• Slack – Webhook URL (used to receive data)

While webhook URLs can act as secrets, signing keys are explicitly used for security validation, not just access.

Mobile SDK or Embedded Client Keys

Some tokens are typically used in client-side or mobile apps:

• Stripe Publishable Keys – Marked as Low severity

• Mapbox Public Keys

• Flutterwave Public Keys

• Lob Publishable API Keys

These keys are meant to be exposed in frontend/mobile apps but still tracked due to misuse potential or misclassification.

Client Identifiers (non-secret but sensitive)

Some fields like Client ID are technically not secret, but they:

• Appear in rules (e.g. LinkedIn, Adobe, Discord)

• Are flagged because leaking them could assist an attacker in phishing or spoofing OAuth workflows

These are tracked to prevent partial disclosure that may combine with other secrets.

Potentially Sensitive Identifiers

While not secrets in themselves, some rules match identifiers that, when leaked, may facilitate further discovery or abuse:

• AWS Account ID

• GitHub App/Refresh Tokens

• Dropbox Short/Long-lived Tokens

These are high-value identifiers even if they don’t unlock access directly, and may be abused in chaining attacks.

Test Environment Secrets

Many tokens are prefixed with:

• test_, sandbox_, dev_, etc.

Examples include:

• duffel_test_

• FLWSECK_TEST

• sk_test_ / pk_test_ (Stripe)

• shippo_test_

Supported Configuration and Script Files

Below is a list of some of the prominent configuration files scanned for exposed credentials:

.bks

.cfg

.conf

.config

.env

.jks

.json

.keystore

.npmrc

.p12

.pem

.pfx

.pbxproj

.plist

.properties

.ps1

.rc

.template

.tf

.tfstate

.tfvars

.toml

.xcconfig

.xml

.yaml

.yml