Skip to main content
Skip table of contents

Code Secrets - Appendix

Overview

This article lists the various types of secrets detected by Mend SAST as part of the secret detection.

Supported Secrets

Cloud Provider Access Tokens and Secrets

These represent credentials that grant access to cloud environments:

  • AWS

    • Access Key ID

    • Secret Access Key

    • Account ID

  • Google Cloud Platform (GCP)

    • Service account credentials

  • Alibaba Cloud

    • Access Key ID

    • Secret Key

  • Heroku

    • API Key

  • HashiCorp

    • Terraform API Token

  • Pulumi

    • API Token

  • PlanetScale

    • API Token

    • Password


Asymmetric & Encryption Keys

These are used for securing communications or authentication:

  • Asymmetric Private Keys

    • PEM-formatted keys like RSA, DSA, EC, etc.

  • Age

    • AGE-SECRET-KEY for file encryption


API Provider Tokens

These provide access to various SaaS provider APIs:

  • GitHub (PAT, OAuth, App Token, Refresh Token)

  • GitLab (PAT)

  • Stripe (Publishable & Secret Keys)

  • Slack (Access Token, Webhook)

  • Twilio (API Key)

  • Mailgun (API Key, Signing Key)

  • SendGrid, Sendinblue, Postman, Databricks, Dropbox, Shippo, Lob, Typeform, etc.

  • New Relic (User API Key, Browser Token)

  • Dynatrace, Intercom, Linear, Bitbucket, Atlassian, Fastly, Clojars, Contentful, etc.

This includes a large number of specific SaaS provider keys (see “Custom API Providers” below for exhaustive list).


OAuth Clients and Secrets

Used for applications performing OAuth authentication:

  • Adobe

    • Client ID & Secret

  • Asana

    • Client ID & Secret

  • Atlassian

    • API Token

  • Bitbucket

    • Client ID & Secret

  • Discord

    • Client ID, Secret, and API Key

  • Facebook

    • Token

  • Twitter

    • Token

  • LinkedIn

    • Client ID & Secret

  • Intercom

    • Client Secret


Custom or Lesser-known API Provider Tokens

These include vendor-specific or niche services:

  • Shopify

  • PyPI

  • Doppler

  • Beamer

  • Clojars

  • Contentful

  • Databricks

  • Discord

  • Duffel

  • Easypost

  • Finicity

  • Flutterwave

  • Frame.io

  • GoCardless

  • Grafana

  • HubSpot

  • Ionic

  • Linear

  • Mailchimp

  • Mapbox

  • MessageBird

  • Npm

  • Postman

  • RubyGems

  • SendGrid

  • Sendinblue

  • Shippo

  • Twitch


Miscellaneous Secrets

These may not fit standard categories but are covered by specific regex rules:

  • Private Signing Keys

  • Webhook URLs (e.g., Slack Webhooks)

  • JWT-style or Bearer tokens embedded in code


CI/CD and Package Registry Tokens

These secrets are used to authenticate with build, deployment, or artifact management systems:

  • PyPI – Upload token

  • Clojars – API token

  • npm – Access token

  • RubyGems – API token

  • GitHub & GitLab – Personal Access Tokens (used in CI/CD)

  • Pulumi, Terraform (HashiCorp) – Infrastructure as Code deployment tokens

These secrets are often embedded in build pipelines to publish or pull packages or deploy services.


Webhook Signing Keys

These are used to verify the integrity of incoming webhooks:

  • Mailgun – Webhook signing key

  • Slack – Webhook URL (used to receive data)

While webhook URLs can act as secrets, signing keys are explicitly used for security validation, not just access.


Mobile SDK or Embedded Client Keys

Some tokens are typically used in client-side or mobile apps:

  • Stripe Publishable Keys – Marked as Low severity

  • Mapbox Public Keys

  • Flutterwave Public Keys

  • Lob Publishable API Keys

These keys are meant to be exposed in frontend/mobile apps but still tracked due to misuse potential or misclassification.


Client Identifiers (non-secret but sensitive)

Some fields like Client ID are technically not secret, but they:

  • Appear in rules (e.g. LinkedIn, Adobe, Discord)

  • Are flagged because leaking them could assist an attacker in phishing or spoofing OAuth workflows

These are tracked to prevent partial disclosure that may combine with other secrets.


Potentially Sensitive Identifiers

While not secrets in themselves, some rules match identifiers that, when leaked, may facilitate further discovery or abuse:

  • AWS Account ID

  • GitHub App/Refresh Tokens

  • Dropbox Short/Long-lived Tokens

These are high-value identifiers even if they don’t unlock access directly, and may be abused in chaining attacks.


Test Environment Secrets

Many tokens are prefixed with:

  • test_, sandbox_, dev_, etc.

Examples include:

  • duffel_test_

  • FLWSECK_TEST

  • sk_test_ / pk_test_ (Stripe)

  • shippo_test_

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.