Secrets — Cloud Providers

AWS, Azure, GCP, Alibaba, Oracle, DigitalOcean, IBM and other cloud-provider credential detection rules.

All rules in this category are kind secrets. They run under vulnetix secrets and the secrets stage of vulnetix scan.

Rule IDNameSeverityDetection
VNX-SEC-081Cloudflare API token (cfk_)Criticalkeyword + regex
VNX-SEC-082Cloudflare user/account token (cfut_/cfat_)Criticalkeyword + regex
VNX-SEC-083Heroku API key (v2 HRKU-)Criticalkeyword + regex
VNX-SEC-084Salesforce access tokenCriticalregex
VNX-SEC-101Oracle Cloud (OCI) API private keyCriticalkeyword + regex
VNX-SEC-102Oracle Cloud (OCI) auth tokenHighkeyword + regex + entropy
VNX-SEC-103IBM Cloud IAM API keyCriticalkeyword + regex + entropy
VNX-SEC-104Tencent Cloud secret ID (AKID)Highkeyword + regex
VNX-SEC-105Tencent Cloud secret keyCriticalkeyword + regex + entropy
VNX-SEC-106Yandex Cloud IAM tokenHighkeyword + regex
VNX-SEC-107Yandex Cloud OAuth tokenCriticalkeyword + regex
VNX-SEC-108Scaleway secret key (UUID)Criticalkeyword + regex
VNX-SEC-109Scaleway access key (SCW prefix)Highkeyword + regex
VNX-SEC-110Hetzner Cloud API tokenCriticalkeyword + regex + entropy
VNX-SEC-111Linode personal access tokenCriticalkeyword + regex
VNX-SEC-112Vultr API keyCriticalkeyword + regex + entropy
VNX-SEC-113Fastly API tokenHighkeyword + regex + entropy
VNX-SEC-114Akamai EdgeGrid client tokenHighkeyword + regex
VNX-SEC-115Akamai EdgeGrid client secretCriticalkeyword + regex + entropy
VNX-SEC-116AWS SES SMTP passwordHighkeyword + regex + entropy
VNX-SEC-117AWS MWS auth tokenHighkeyword + regex
VNX-SEC-118AWS AppSync GraphQL API key (da2-)Highkeyword + regex
VNX-SEC-119AWS Cognito identity/user pool IDMediumkeyword + regex
VNX-SEC-120AWS Cognito app client secretHighkeyword + regex + entropy
VNX-SEC-121AWS Amplify app deploy/webhook IDMediumkeyword + regex
VNX-SEC-122AWS SNS topic ARN with credentials contextMediumkeyword + regex
VNX-SEC-123Azure AD client secretCriticalkeyword + regex + entropy
VNX-SEC-124Azure SAS token (shared access signature)Highkeyword + regex
VNX-SEC-125Azure Service Bus connection stringCriticalkeyword + regex
VNX-SEC-126Azure Cosmos DB account keyCriticalkeyword + regex
VNX-SEC-127Azure Cognitive Search admin keyHighkeyword + regex + entropy
VNX-SEC-128Azure Container Registry passwordHighkeyword + regex + entropy
VNX-SEC-129Azure DevOps personal access tokenCriticalkeyword + regex + entropy
VNX-SEC-130GCP OAuth access token (ya29.)Highkeyword + regex
VNX-SEC-131GCP OAuth refresh token (1//)Criticalkeyword + regex
VNX-SEC-132Google reCAPTCHA secret keyMediumkeyword + regex
VNX-SEC-133Firebase Cloud Messaging server key (AAAA)Highkeyword + regex
VNX-SEC-134Firebase Realtime Database URLMediumkeyword + regex
VNX-SEC-135DigitalOcean Spaces access keyHighkeyword + regex
VNX-SEC-136DigitalOcean Spaces secret keyCriticalkeyword + regex + entropy
VNX-SEC-137Render API key (rnd_)Criticalkeyword + regex
VNX-SEC-138Railway API/project tokenCriticalkeyword + regex
VNX-SEC-139Fly.io API token (fo1_ / FlyV1)Criticalkeyword + regex
VNX-SEC-140Aiven API token (aivenv1 / context)Criticalkeyword + regex + entropy
VNX-SEC-141Cloudflare Origin CA key (v1.0-)Highkeyword + regex
VNX-SEC-142Cloudflare Stream signing key contextHighkeyword + regex + entropy
VNX-SEC-143OVH application secret / consumer keyHighkeyword + regex + entropy
VNX-SEC-144UpCloud API credentials contextHighkeyword + regex + entropy
VNX-SEC-145Alibaba Cloud STS temporary access key (STS.)Highkeyword + regex
VNX-SEC-146IBM Cloud Object Storage HMAC secret access keyCriticalkeyword + regex + entropy
VNX-SEC-147Azure Storage connection stringCriticalkeyword + regex
VNX-SEC-148GCP service account email + key contextHighkeyword + regex
VNX-SEC-149Google Maps Platform API key (AIza, restricted-context)Mediumkeyword + regex
VNX-SEC-150Scaleway API token (UUID, context)Highkeyword + regex
VNX-SEC-151Tencent Cloud COS connection (SecretId+SecretKey)Highkeyword + regex
VNX-SEC-152Cloudflare Global API key (legacy 37-hex)Criticalkeyword + regex + entropy
VNX-SEC-153GCP Firebase web API config apiKey (AIza, firebase context)Mediumkeyword + regex
VNX-SEC-154Hetzner DNS API token (context)Highkeyword + regex + entropy
VNX-SEC-155Vultr Object Storage S3 secret (context)Highkeyword + regex + entropy
VNX-SEC-156Fastly Compute / service ID with token contextMediumkeyword + regex + entropy
VNX-SEC-157Render deploy hook URLMediumkeyword + regex
VNX-SEC-158Linode Object Storage access key (context)Highkeyword + regex + entropy
VNX-SEC-159Azure Maps subscription key (context)Mediumkeyword + regex + entropy
VNX-SEC-160GCP Cloud Run / IAP service identity token (context)Highkeyword + regex
VNX-SEC-161Alibaba Cloud secret access key (context)Criticalkeyword + regex + entropy
VNX-SEC-162OVH application key (context)Mediumkeyword + regex + entropy
VNX-SEC-163Yandex Cloud API key (AQVN context)Criticalkeyword + regex
VNX-SEC-164IBM Cloud IAM bearer token (context)Highkeyword + regex
VNX-SEC-165Aiven service connection URI (context)Criticalkeyword + regex
VNX-SEC-166Scaleway IAM API secret key (context)Criticalkeyword + regex
VNX-SEC-167Tencent Cloud SCF / API gateway secret (context)Criticalkeyword + regex + entropy
VNX-SEC-168Cloudflare R2 S3 secret access key (context)Criticalkeyword + regex + entropy
VNX-SEC-169Azure subscription / tenant credential bundle (context)Criticalkeyword + regex + entropy
VNX-SEC-170GCP API key (AIza) genericHighkeyword + regex
VNX-SEC-171Hetzner Cloud robot webservice password (context)Highkeyword + regex + entropy
VNX-SEC-172Vultr deploy / API token (context, hex)Highkeyword + regex + entropy
VNX-SEC-173Akamai EdgeGrid access token (context)Highkeyword + regex
VNX-SEC-174GCP service account private key (PEM in JSON)Criticalkeyword + regex
VNX-SEC-175Railway project deploy token (context, base64)Highkeyword + regex + entropy
VNX-SEC-176Oracle Cloud (OCI) config fingerprint+key contextMediumkeyword + regex
VNX-SEC-177DigitalOcean App Platform / function deploy URL (context)Mediumkeyword + regex
VNX-SEC-178Fly.io org deploy token (FlyV1 macaroon)Highkeyword + regex
VNX-SEC-179Tencent Cloud webhook URL (context)Mediumkeyword + regex

Remediation

Rotate any exposed credential immediately, remove it from source, and load it from a secrets manager or environment variable instead. Purge it from git history with git filter-repo. See CWE-798 and the OWASP Secrets Management Cheat Sheet.