Code Secrets - Appendix
Overview
This article lists the various types of secrets detected by Mend SAST as part of the secret detection.
Supported Secrets
Cloud Provider Access Tokens and Secrets
These represent credentials that grant access to cloud environments:
AWS
Access Key ID
Secret Access Key
Account ID
Google Cloud Platform (GCP)
Service account credentials
Alibaba Cloud
Access Key ID
Secret Key
Heroku
API Key
HashiCorp
Terraform API Token
Pulumi
API Token
PlanetScale
API Token
Password
Asymmetric & Encryption Keys
These are used for securing communications or authentication:
Asymmetric Private Keys
PEM-formatted keys like RSA, DSA, EC, etc.
Age
AGE-SECRET-KEY for file encryption
API Provider Tokens
These provide access to various SaaS provider APIs:
GitHub (PAT, OAuth, App Token, Refresh Token)
GitLab (PAT)
Stripe (Publishable & Secret Keys)
Slack (Access Token, Webhook)
Twilio (API Key)
Mailgun (API Key, Signing Key)
SendGrid, Sendinblue, Postman, Databricks, Dropbox, Shippo, Lob, Typeform, etc.
New Relic (User API Key, Browser Token)
Dynatrace, Intercom, Linear, Bitbucket, Atlassian, Fastly, Clojars, Contentful, etc.
This includes a large number of specific SaaS provider keys (see “Custom API Providers” below for exhaustive list).
OAuth Clients and Secrets
Used for applications performing OAuth authentication:
Adobe
Client ID & Secret
Asana
Client ID & Secret
Atlassian
API Token
Bitbucket
Client ID & Secret
Discord
Client ID, Secret, and API Key
Facebook
Token
Twitter
Token
LinkedIn
Client ID & Secret
Intercom
Client Secret
Custom or Lesser-known API Provider Tokens
These include vendor-specific or niche services:
Shopify
PyPI
Doppler
Beamer
Clojars
Contentful
Databricks
Discord
Duffel
Easypost
Finicity
Flutterwave
Frame.io
GoCardless
Grafana
HubSpot
Ionic
Linear
Mailchimp
Mapbox
MessageBird
Npm
Postman
RubyGems
SendGrid
Sendinblue
Shippo
Twitch
Miscellaneous Secrets
These may not fit standard categories but are covered by specific regex rules:
Private Signing Keys
Webhook URLs (e.g., Slack Webhooks)
JWT-style or Bearer tokens embedded in code
CI/CD and Package Registry Tokens
These secrets are used to authenticate with build, deployment, or artifact management systems:
PyPI – Upload token
Clojars – API token
npm – Access token
RubyGems – API token
GitHub & GitLab – Personal Access Tokens (used in CI/CD)
Pulumi, Terraform (HashiCorp) – Infrastructure as Code deployment tokens
These secrets are often embedded in build pipelines to publish or pull packages or deploy services.
Webhook Signing Keys
These are used to verify the integrity of incoming webhooks:
Mailgun – Webhook signing key
Slack – Webhook URL (used to receive data)
While webhook URLs can act as secrets, signing keys are explicitly used for security validation, not just access.
Mobile SDK or Embedded Client Keys
Some tokens are typically used in client-side or mobile apps:
Stripe Publishable Keys – Marked as
Low
severityMapbox Public Keys
Flutterwave Public Keys
Lob Publishable API Keys
These keys are meant to be exposed in frontend/mobile apps but still tracked due to misuse potential or misclassification.
Client Identifiers (non-secret but sensitive)
Some fields like Client ID
are technically not secret, but they:
Appear in rules (e.g. LinkedIn, Adobe, Discord)
Are flagged because leaking them could assist an attacker in phishing or spoofing OAuth workflows
These are tracked to prevent partial disclosure that may combine with other secrets.
Potentially Sensitive Identifiers
While not secrets in themselves, some rules match identifiers that, when leaked, may facilitate further discovery or abuse:
AWS Account ID
GitHub App/Refresh Tokens
Dropbox Short/Long-lived Tokens
These are high-value identifiers even if they don’t unlock access directly, and may be abused in chaining attacks.
Test Environment Secrets
Many tokens are prefixed with:
test_
,sandbox_
,dev_
, etc.
Examples include:
duffel_test_
FLWSECK_TEST
sk_test_
/pk_test_
(Stripe)shippo_test_