Skip to main content
Skip table of contents

Code Secret Scanning

Overview

Mend SAST Secret Scanning provides a more comprehensive security overview, by introducing the capability to:
1) Scan both source code and configuration files to detect exposed credentials, based on patterns.
2) View the results alongside standard SAST results.

Configuration Files

Below is a list of some of the more prominent configuration files scanned for exposed credentials.

  • JSON

  • XML

  • .properties

  • .yaml

  • .config

Limitations

  • Code snippets with anonymized secrets are not supported.

  • All secret findings are labelled as ‘Medium’ severity.

Getting it done

Secret Scanning as part of a Regular SAST Scan

To add secret detection to your regular SAST scan, enable the --secrets-detection command line parameter in addition to the regular mend code command in the Mend CLI.

When unspecified, secret scanning as part of your SAST scan is disabled.

Note: This mode is also supported in the Developer Platform and Mend for GitHub.com.

Here’s what a SAST scan with secrets detection enabled would look like in the terminal:

image-20250617-073256.png

Example of Mend CLI SAST Scan with Secrets Detection

Standalone Secret Scanning

To enable standalone SAST secret scanning, enable the --secrets-detection-only command line parameter for your mend code command in the Mend CLI.

When enabled, the detected programming languages are skipped and only Secrets detection is executed.

Here’s what a standalone secrets scan would look like in the terminal:

image-20250617-073533.png

Example of a Standalone Mend CLI SAST Secrets Scan

Viewing Results

The results of the secret scanning will appear in the platform UI alongside other Code findings.

They will be differentiated from other code findings by the value “Secrets” in the Language column.

Noteworthy values of secret scanning findings:

  1. CWE Name - 2 possible values:

A. Hardcoded Password/Credentials (CWE-798)

B. Secret in Configuration File (CWE-260)

  1. Severity - Always Medium.

  2. Sink - The type of secret detected, e.g., Postman API Token, AWS Access Key ID, etc.

  3. Language - “Secrets”.

image-20250614-134027.png

Clicking anywhere on a row of a detected secret will spawn a drawer with more in-depth information about the secret:

image-20250616-121348.png

Note: You can create Automation Workflows around secret detection to trigger policy violations and fail builds, in a similar fashion to every other Code finding.

Visit the Automation Workflows documentation for more details.

image-20250614-141709.png

Example - Automation Workflow Triggered by Detection of CWE-260: Secret in Configuration File

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close