Secrets — Private Keys & Certificates
RSA, EC, OpenSSH, PGP, WireGuard, age and other private-key material.
All rules in this category are kind secrets. They run under vulnetix secrets and the secrets stage of vulnetix scan.
| Rule ID | Name | Severity | Detection |
|---|
| VNX-SEC-641 | OpenSSH private key block | Critical | keyword + regex |
| VNX-SEC-642 | RSA private key block | Critical | keyword + regex |
| VNX-SEC-643 | EC private key block | Critical | keyword + regex |
| VNX-SEC-644 | DSA private key block | Critical | keyword + regex |
| VNX-SEC-645 | PKCS8 private key block | Critical | keyword + regex |
| VNX-SEC-646 | Encrypted private key block | High | keyword + regex |
| VNX-SEC-647 | PuTTY private key file (.ppk) | Critical | keyword + regex |
| VNX-SEC-648 | SSH2 private key block | Critical | keyword + regex |
| VNX-SEC-649 | PKCS12 keystore reference | High | keyword + regex + entropy |
| VNX-SEC-650 | Certificate bundled with private key | Medium | keyword + regex |
| VNX-SEC-651 | JWT HS256 hardcoded signing secret | Critical | keyword + regex + entropy |
| VNX-SEC-697 | SSH private key beginning marker (generic) | Critical | keyword + regex |
| VNX-SEC-731 | Hardcoded session/cookie signing secret | High | keyword + regex + entropy |
| VNX-SEC-732 | Hardcoded encryption key (AES/Fernet context) | High | keyword + regex + entropy |
Rotate any exposed credential immediately, remove it from source, and load it from a secrets manager or environment variable instead. Purge it from git history with git filter-repo. See CWE-798 and the OWASP Secrets Management Cheat Sheet.