Skip to content

Cleartext Exposed Secrets

Cleartext exposed secrets use-cases

Industry-leading exposed secrets detections across the entire organization. Reveal clear-text secrets exposed in cloud providers configurations, code-repositories, CICD output logs, collaboration platforms, and messaging apps.

Description

Compared to regular human-owned username and passwords, secrets & tokens lack additional security observability (continued monitoring), restrictions (conditional access, IP lock) and enforcements (MFA). This will make them the number one targets for credentials harvesting during a potential breach. SailPoint Entro reveals all clear-text secrets scattered on your organization and prioritizes which should be eliminated.

Validity

Each detected secret also includes validation status, to determine whether it can be leveraged to gain additional access to your organization’s resources.

  • Enabled The token has been confirmed by SailPoint Entro as enabled and is publicly accessible. This makes it potentially vulnerable to exploitation by unauthorized actors.

  • Disabled The token is confirmed to be disabled or deactivated. This state prevents it from being exploited for unauthorized access. Regularly review the status of the token to ensure it remains disabled.

  • Invalid This token is not usable and cannot be exploited for unauthorized access. The invalidity could be due to incorrect formatting, expiration, revocation, or access restriction.

  • Revoked This secret has transitioned from enabled to invalid. It is now invalid and cannot be used for authorization.

  • Unsupported Validity check not supported by cloud provider.

  • Unreachable Due to network restrictions (on-prem server, firewall), the secret cannot be validated.

When an enabled secret is observed, entro will also include some enrichment data for it in the “Validity” tab.

Context

When an exposed secret is also correlated with one of your organization's NHI Tokens, SailPoint Entro will include additional context and enrichment for the exposed secret, such as:

  • Target account

  • Environment labeling

  • Permissioning

  • Usage

  • Rotation

  • Owners

Risks triggers

Risks associated with exposed secrets will only open if the exposed secret is not invalid, revoked or disabled. It’s also possible to restrict risks to open only if the exposed secret is enabled. Any risk of exposed secret transitioning from enabled to revoked/invalid/disabled will be automatically resolved.

JSON example

Risk JSON

account: {environment: "github", environmentType: "Prod"}
accountId: "github"
accountType: "GITHUB"
category: "EXPOSED_SECRET"
correlationGuid: "NTR-127961"
creationDate: "2024-10-29T06:00:04.074Z"
customData: null
customerId: 34
data: null
description: "Secret exposed in a workflow job output"
destination: "AWS_FULL_CREDENTIALS"
guid: "RSK-10359"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 54858
isArchived: false
key: "EXPOSURE-EXP-80291"
linkedElements: ["EXP-80291"]
logChangeType: null
modifyDate: "2024-10-29T08:03:33.024Z"
name: "Secret is exposed in GitHub workflows logs"
occurrences: ["GITHUB_ACTIONS_WORKFLOWS_LOG", "AWS_IAM_ACCESS_KEY", "GITHUB_ACTIONS_WORKFLOWS_LOG",…]
owner: "johns"
ownerAiObject: null
ownerUid: null
path: "entro-e2e/exposing-credentials-test/test-by-trigger/undefined"
ruleCode: "EXPOSED_GITHUB_ACTIONS_WORKFLOWS"
scanId: 2937463
severity: "CRITICAL"
source: "GITHUB_ACTIONS_WORKFLOWS_LOG"
status: "OPEN"
tags: ["Secret leak", "Log file", "Workflow file", "github", "Private", "NHI"]
tasks: [{customerId: 34, riskId: 54858, type: "EXPOSED_CONFIG", level: "HARD",…}]
type: "EXPOSURE"

Linked Element (Exposed Secret) JSON

account: {environment: "github", environmentType: "Prod", accountType: "GITHUB", id: "github"}
accountId: "github"
accountType: "GITHUB"
correlationGuid: "NTR-127961"
customerId: 34
detectionTime: "2024-10-29T04:13:37.588Z"
exposedLocationType: "GITHUB_ACTIONS_WORKFLOWS_LOG"
exposureOnExternalChat: false
exposureOnPublicGitRepo: false
exposurePath: "entro-e2e/exposing-credentials-test/test-by-trigger"
exposureUrl: "https://github.com/liminal-security/entro-e2e/actions/runs/11539115615/job/32118413208"
guid: "EXP-80291"
isAdmin: false
isArchived: false
isHidden: false
isNhi: true
keyFindingsJson: {workflow: {id: 122845052, name: "exposing-credentials-test",…},…}
keyId: "liminal-security_entro-e2e_122845052_32118413208_db942f8e3630feb119fa2007e60746bd86d7da54d768714a4161e7d9eca51a8c"
keyType: "GITHUB_ACTIONS_WORKFLOWS_LOG"
lastModified: "2024-10-27T08:54:08.000Z"
liminalCreationDate: "2024-10-29T04:13:37.588Z"
liminalModifyDate: "2024-10-29T07:17:58.427Z"
linkedElements: ["TKN-1452"]
location: "entro-security/entro-e2e"
ocr: null
origin: "AWS_FULL_CREDENTIALS"
owner: "johns"
ownerAiObject: null
ownerUid: null
scanId: 2927524
secretSnippet: "AKIARWNGDZ"
severity: "CRITICAL"
status: "ENABLED"
tags: {tags: ["github", "Private", "NHI"]}
uid: "1d028d50-3651-4157-b483-fe2e6bba5c74"
vendorHash: null