Secrets — Communication & Messaging

Slack, Twilio, Discord, Telegram, SendGrid, Mailgun and other messaging credentials.

All rules in this category are kind secrets. They run under vulnetix secrets and the secrets stage of vulnetix scan.

Rule ID	Name	Severity	Detection
VNX-SEC-097	Postmark server API token	High	keyword + regex
VNX-SEC-401	Mailchimp API key (-us datacenter)	Critical	keyword + regex
VNX-SEC-402	Mandrill API key	High	keyword + regex + entropy
VNX-SEC-403	SparkPost API key	High	keyword + regex + entropy
VNX-SEC-404	Mailjet API key (public)	Medium	keyword + regex + entropy
VNX-SEC-405	Mailjet secret key	High	keyword + regex + entropy
VNX-SEC-406	Vonage/Nexmo API secret	High	keyword + regex + entropy
VNX-SEC-407	Vonage/Nexmo API key	Medium	keyword + regex + entropy
VNX-SEC-408	MessageBird/Bird access key	High	keyword + regex + entropy
VNX-SEC-409	Plivo Auth ID (MA)	Medium	keyword + regex + entropy
VNX-SEC-410	Plivo Auth ID (SA subaccount)	Medium	keyword + regex + entropy
VNX-SEC-411	Plivo Auth Token	High	keyword + regex + entropy
VNX-SEC-412	Telnyx API key (KEY)	Critical	keyword + regex + entropy
VNX-SEC-413	Bandwidth API token/secret	High	keyword + regex + entropy
VNX-SEC-414	Sinch service plan API token	High	keyword + regex + entropy
VNX-SEC-415	Infobip API key	High	keyword + regex + entropy
VNX-SEC-416	ClickSend API key	High	keyword + regex + entropy
VNX-SEC-418	Discord client secret	High	keyword + regex + entropy
VNX-SEC-419	Slack app-level token (xapp-)	Critical	keyword + regex
VNX-SEC-420	Slack config refresh token (xoxe-)	Critical	keyword + regex
VNX-SEC-421	Slack config access token (xoxe.xoxp-/xoxb-)	Critical	keyword + regex
VNX-SEC-422	Microsoft Graph / Azure AD client secret	Critical	keyword + regex + entropy
VNX-SEC-423	Intercom access token	High	keyword + regex + entropy
VNX-SEC-424	Zendesk API token	High	keyword + regex + entropy
VNX-SEC-425	Freshchat API token	High	keyword + regex + entropy
VNX-SEC-426	Front API token	High	keyword + regex + entropy
VNX-SEC-427	Help Scout API key / app secret	High	keyword + regex + entropy
VNX-SEC-428	Crisp API key / identifier	High	keyword + regex + entropy
VNX-SEC-429	Drift API token	High	keyword + regex + entropy
VNX-SEC-430	Customer.io tracking/app API key	High	keyword + regex + entropy
VNX-SEC-431	Klaviyo private API key (pk_)	Critical	keyword + regex
VNX-SEC-432	Klaviyo OAuth refresh token	High	keyword + regex + entropy
VNX-SEC-433	Iterable API key	High	keyword + regex + entropy
VNX-SEC-434	Braze REST API key	High	keyword + regex + entropy
VNX-SEC-435	OneSignal REST API key (os_v2)	Critical	keyword + regex
VNX-SEC-436	OneSignal REST API key (legacy hex)	High	keyword + regex + entropy
VNX-SEC-437	Pusher Channels app secret	High	keyword + regex + entropy
VNX-SEC-438	Pusher Channels app key	Medium	keyword + regex + entropy
VNX-SEC-439	Ably API key	Critical	keyword + regex + entropy
VNX-SEC-440	PubNub publish key (pub-c-)	High	keyword + regex
VNX-SEC-441	PubNub subscribe key (sub-c-)	Medium	keyword + regex
VNX-SEC-442	PubNub secret key (sec-c-)	Critical	keyword + regex
VNX-SEC-443	Stream (getstream) API secret	High	keyword + regex + entropy
VNX-SEC-444	Stream (getstream) API key	Medium	keyword + regex + entropy
VNX-SEC-445	Courier auth token (pk_prod_/pk_test_)	High	keyword + regex
VNX-SEC-446	Knock API key (sk_/sk_test_)	High	keyword + regex + entropy
VNX-SEC-447	Loops API key	High	keyword + regex + entropy
VNX-SEC-448	Resend API key (re_)	Critical	keyword + regex
VNX-SEC-449	Brevo/Sendinblue API key (xkeysib-)	Critical	keyword + regex
VNX-SEC-450	Brevo/Sendinblue SMTP key (xsmtpsib-)	High	keyword + regex
VNX-SEC-451	Mailtrap API token	High	keyword + regex + entropy
VNX-SEC-452	SMTP2GO API key (api-)	High	keyword + regex + entropy
VNX-SEC-453	SendGrid subuser/marketing API key (SG.)	High	keyword + regex + entropy
VNX-SEC-454	Mailgun sending API key (key-)	High	keyword + regex + entropy
VNX-SEC-455	Postmark account token	High	keyword + regex + entropy
VNX-SEC-456	Telnyx public key (TKEY/v2 public)	Medium	keyword + regex + entropy
VNX-SEC-458	Twilio SendGrid subuser SMTP password	High	keyword + regex + entropy
VNX-SEC-459	Telnyx Messaging Profile secret	High	keyword + regex + entropy
VNX-SEC-460	Mailchimp Transactional (Mandrill md- key)	High	keyword + regex + entropy
VNX-SEC-461	Knock public API key (pk_)	Low	keyword + regex + entropy
VNX-SEC-462	Customer.io App API key (Bearer)	High	keyword + regex + entropy
VNX-SEC-463	Customer.io tracking site/API key pair	High	keyword + regex + entropy
VNX-SEC-464	Infobip Basic auth API key (App)	High	keyword + regex + entropy
VNX-SEC-465	Ably API key (keyword context)	Critical	keyword + regex + entropy
VNX-SEC-466	PubNub secret/keyword key	High	keyword + regex + entropy
VNX-SEC-467	Courier auth token (keyword context)	High	keyword + regex + entropy
VNX-SEC-468	Loops transactional API key (keyword)	High	keyword + regex + entropy
VNX-SEC-469	Sinch service plan ID + token (Bearer)	High	keyword + regex + entropy
VNX-SEC-470	Help Scout OAuth2 app id/secret pair	High	keyword + regex + entropy
VNX-SEC-471	Intercom OAuth client secret	High	keyword + regex + entropy
VNX-SEC-472	ClickSend username+API key Basic header	High	keyword + regex + entropy
VNX-SEC-473	Bandwidth account API token+secret pair	High	keyword + regex + entropy
VNX-SEC-474	Plivo Basic auth header (Auth ID:Token)	High	keyword + regex + entropy
VNX-SEC-475	Stream getstream JWT server token	High	keyword + regex + entropy
VNX-SEC-476	Freshchat bundle/app token (keyword)	High	keyword + regex + entropy
VNX-SEC-477	Resend webhook signing secret (whsec_)	Medium	keyword + regex
VNX-SEC-478	Drift OAuth client secret	High	keyword + regex + entropy
VNX-SEC-479	Crisp plugin token (keyword)	High	keyword + regex + entropy
VNX-SEC-480	Iterable JWT-enabled API key	High	keyword + regex + entropy

Remediation

Rotate any exposed credential immediately, remove it from source, and load it from a secrets manager or environment variable instead. Purge it from git history with git filter-repo. See CWE-798 and the OWASP Secrets Management Cheat Sheet.