Skip to content

Configurations

Secret Type Control

Configure customized rules for handling secrets based on their type, enabling tailored actions such as adjusting severity, modifying exposure status, or disabling scanning. This allows precise control over how different secret types are prioritized and managed across your environment.

Rules can be configured under Settings > Secret Type Control.

Available Actions:

Each rule is applied to all existing and future findings of the selected secret type.

  • Automatically Promote to Exposed - Add all findings of this secret type to the Exposed Inventory and raise relevant risks associated.

  • Automatically Demote to Generic Exposed - Downgrade all findings of this secret type to Generic Exposed Inventory, and resolve any open risks.

  • Automatically Increase Severity Score - Increase the severity score for all findings and risks associated with this secret type.

  • Automatically Decrease Severity Score - Decrease the severity score for all findings and risks associated with this secret type.

  • Disable Scanning for This Secret Type - Exclude this secret type from scanning. All current findings will be automatically archived and hidden from Inventory and Risks.

Custom Detection Rules

Custom Detection Rules allow you to expand beyond built-in detectors by defining your own specific patterns to find sensitive data unique to your organization.

Creating a Custom Detection Rule

Navigate to Settings > Custom Detection Rules to begin.

The creation process is a simple two-step flow: 1. Rule Setup and 2. Validate Pattern.

  1. Step 1: Rule Setup

    In this step, you will define the core components of your rule. All fields are mandatory.

    1. Rule Name: Provide a clear, descriptive name for your rule. This name will appear in detected findings.

    2. Detection Method: Choose one of the two methods for finding matches:

      • DLP Phrase: For detecting specific words or phrases. This is a direct text match.

      • Regex: For advanced pattern matching using regular expressions. This allows you to find complex or variable data, like formatted ID numbers.

        Note: Our system uses the Go (Golang) regular expression flavor.

    3. Pattern: Based on your chosen method, enter the text or regex pattern you want to detect.

      • For DLP Phrase: Enter the exact text to match (e.g., Project-Helios-Secret).

      • For Regex: Enter the regular expression pattern (e.g., PROJ-\d{5}-[A-Z]{3}).

    4. Target Account (Scope): Define where the rule should be applied. You can select multiple accounts or account types.

      • By Account Type: Apply the rule broadly to all connected accounts of a certain type (e.g., all GitHub repositories, all Slack workspaces).

      • By Specific Accounts: Apply the rule to one or more specific, hand-picked accounts.

    After configuring these details, click Next to proceed to the validation step.

  2. Step 2: Validate Pattern

    Before creating the rule, it is crucial to verify that your pattern detects the correct data without generating unwanted noise.

    1. Review Your Pattern: The DLP phrase or regex you configured is displayed at the top.

    2. Provide Sample Data: In the "Test Input" text box, paste a sample of data that contains examples of what you want—and do not want—to detect.

    3. Check the Results: The validator will instantly scan your sample data and highlight all matches in real-time. A "Matches Found" count will confirm if your pattern is working as expected.

    This step allows you to fine-tune your pattern for accuracy, ensuring it is neither too broad nor too narrow before you save it.

    Once you are satisfied with the results, click Create Rule.

⚠️ To ensure high performance and accurate results, the system automatically blocks the creation of rules using overly generic regex patterns. For more details, please see the blacklist at the end of this document.

Managing Findings and Automation

The rule is automatically included in all future scans of the selected accounts.

All findings will be automatically added to Generic Exposed tab in the inventory. The secret type will be labeled as Custom Regex or DLP Custom Pattern.

Enable Actions Based on Detection Rules

Here, you can create policies to automatically manage findings from your custom rules. For example, you can configure a rule so that any finding matching your "Customer PII" pattern is automatically promoted from "Generic Exposed" to "Exposed," ensuring it gets immediate attention.

Appendix: Regex Blacklist

To maintain system performance and prevent an excessive number of false positives, the following overly generic regex patterns are not permitted:

      '.*',              // Matches everything
      '.+',              // Matches any non-empty string
      '\\w+',            // Matches any word
      '\\d+',            // Matches any number
      '\\S+',            // Matches any non-whitespace
      '[a-zA-Z]+',       // Matches any letters
      '[a-z]+',          // Matches any lowercase letters
      '[A-Z]+',          // Matches any uppercase letters
      '[0-9]+',          // Matches any digits
      '.{1,4}',          // Matches 1-4 of any character
      '.{1,5}',          // Matches 1-5 of any character
      '.{1,10}',         // Matches 1-10 of any character
      '\\w{1,4}',        // Matches 1-4 word characters
      '\\w{1,5}',        // Matches 1-5 word characters
      '\\w{1,10}',       // Matches 1-10 word characters
      '\\d{1,4}',        // Matches 1-4 digits
      '\\d{1,5}',        // Matches 1-5 digits
      '\\d{1,10}',       // Matches 1-10 digits
      '[a-zA-Z]{1,4}',   // Matches 1-4 letters
      '[a-zA-Z]{1,5}',   // Matches 1-5 letters
      '[a-zA-Z]{1,10}',  // Matches 1-10 letters
      '[a-z]{1,4}',      // Matches 1-4 lowercase letters
      '[a-z]{1,5}',      // Matches 1-5 lowercase letters
      '[a-z]{1,10}',     // Matches 1-10 lowercase letters
      '[A-Z]{1,4}',      // Matches 1-4 uppercase letters
      '[A-Z]{1,5}',      // Matches 1-5 uppercase letters
      '[A-Z]{1,10}',     // Matches 1-10 uppercase letters
      '[0-9]{1,4}',      // Matches 1-4 digits
      '[0-9]{1,5}',      // Matches 1-5 digits
      '[0-9]{1,10}',     // Matches 1-10 digits
      '\\s+',            // Matches any whitespace
      '\\S*',            // Matches any non-whitespace (0 or more)
      '\\w*',            // Matches any word characters (0 or more)
      '\\d*',            // Matches any digits (0 or more)
      '[a-zA-Z]*',       // Matches any letters (0 or more)
      '[a-z]*',          // Matches any lowercase letters (0 or more)
      '[A-Z]*',          // Matches any uppercase letters (0 or more)
      '[0-9]*',          // Matches any digits (0 or more)
      '.',               // Matches any single character
      '.?',              // Matches any single character (optional)
      '\\w',             // Matches any single word character
      '\\d',             // Matches any single digit
      '\\S',             // Matches any single non-whitespace
      '[a-zA-Z]',        // Matches any single letter
      '[a-z]',           // Matches any single lowercase letter
      '[A-Z]',           // Matches any single uppercase letter
      '[0-9]',           // Matches any single digit
      // Common overly permissive patterns
      '.*\\w+.*',        // Any word surrounded by anything
      '.*\\d+.*',        // Any number surrounded by anything
      '.+\\w+.+',        // Any word with something before and after
      '.+\\d+.+',        // Any number with something before and after