Secrets — Source Control & CI/CD

GitHub, GitLab, Bitbucket, Azure DevOps tokens and CI/CD pipeline credentials.

All rules in this category are kind secrets. They run under vulnetix secrets and the secrets stage of vulnetix scan.

Rule IDNameSeverityDetection
VNX-SEC-181Bitbucket app passwordHighkeyword + regex + entropy
VNX-SEC-182Bitbucket app password (ATBB prefix)Highkeyword + regex
VNX-SEC-183Bitbucket OAuth client secretHighkeyword + regex + entropy
VNX-SEC-184Azure DevOps personal access tokenCriticalkeyword + regex + entropy
VNX-SEC-185CircleCI personal API tokenHighkeyword + regex + entropy
VNX-SEC-186CircleCI project API token (CCIP)Highkeyword + regex
VNX-SEC-187Travis CI API tokenHighkeyword + regex + entropy
VNX-SEC-188Buildkite agent tokenCriticalkeyword + regex + entropy
VNX-SEC-189Buildkite API access tokenHighkeyword + regex + entropy
VNX-SEC-190Jenkins API tokenHighkeyword + regex + entropy
VNX-SEC-191Jenkins crumb (CSRF token)Mediumkeyword + regex + entropy
VNX-SEC-192Drone CI tokenHighkeyword + regex + entropy
VNX-SEC-193TeamCity access tokenHighkeyword + regex
VNX-SEC-194TeamCity access token (generic)Highkeyword + regex + entropy
VNX-SEC-195Gitea access tokenHighkeyword + regex + entropy
VNX-SEC-196Gitee access tokenHighkeyword + regex + entropy
VNX-SEC-197Codecov upload tokenMediumkeyword + regex
VNX-SEC-198Coveralls repo tokenMediumkeyword + regex + entropy
VNX-SEC-199Code Climate test reporter IDMediumkeyword + regex + entropy
VNX-SEC-200Sourcegraph access token (sgp_)Highkeyword + regex
VNX-SEC-201Sourcegraph dotcom token (sgph_)Highkeyword + regex
VNX-SEC-202Semaphore CI tokenHighkeyword + regex + entropy
VNX-SEC-203Harness personal access token (pat.)Criticalkeyword + regex
VNX-SEC-204Harness service account token (sat.)Criticalkeyword + regex
VNX-SEC-205Spacelift API tokenHighkeyword + regex
VNX-SEC-206Pulumi access token (pul-)Criticalkeyword + regex
VNX-SEC-207Octopus Deploy API key (API-)Highkeyword + regex + entropy
VNX-SEC-208Terraform Cloud team/org tokenCriticalkeyword + regex
VNX-SEC-209JFrog access/identity tokenHighkeyword + regex + entropy
VNX-SEC-210JFrog reference token (cmVmdGtuOjA)Highkeyword + regex
VNX-SEC-211Argo CD auth token (JWT)Criticalkeyword + regex
VNX-SEC-212FluxCD git credentialsHighkeyword + regex + entropy
VNX-SEC-213GitHub App private key (PEM)Criticalkeyword + regex
VNX-SEC-214GitHub Actions runner registration token (BBBB)Highkeyword + regex + entropy
VNX-SEC-215Vercel deploy hook URLHighkeyword + regex
VNX-SEC-216Vercel API tokenCriticalkeyword + regex + entropy
VNX-SEC-217Bitrise access tokenHighkeyword + regex + entropy
VNX-SEC-218Codefresh API tokenHighkeyword + regex + entropy
VNX-SEC-219Woodpecker CI tokenHighkeyword + regex + entropy
VNX-SEC-220Concourse CI tokenHighkeyword + regex + entropy
VNX-SEC-221GoCD access tokenHighkeyword + regex + entropy
VNX-SEC-222Sentry CLI auth token (sntrys_)Highkeyword + regex
VNX-SEC-223Sentry user auth token (sntryu_)Highkeyword + regex
VNX-SEC-224ReadTheDocs API tokenMediumkeyword + regex + entropy
VNX-SEC-225Netlify build hook URLHighkeyword + regex
VNX-SEC-226Netlify API access tokenCriticalkeyword + regex + entropy
VNX-SEC-227Cloudsmith API keyHighkeyword + regex + entropy
VNX-SEC-228Bitbucket Pipelines OIDC/step tokenHighkeyword + regex + entropy
VNX-SEC-229TeamCity superuser tokenCriticalkeyword + regex
VNX-SEC-230Drone CI RPC secretCriticalkeyword + regex + entropy
VNX-SEC-231Sourcegraph dotcom token (sgd_)Highkeyword + regex
VNX-SEC-232Buildkite registration token (bkua_)Criticalkeyword + regex
VNX-SEC-233Codecov global upload token (legacy)Mediumkeyword + regex + entropy
VNX-SEC-234Argo CD admin passwordCriticalkeyword + regex + entropy
VNX-SEC-235Semaphore organization API token (legacy)Highkeyword + regex
VNX-SEC-236Spacelift API key secretHighkeyword + regex + entropy
VNX-SEC-237Codefresh runtime/agent tokenHighkeyword + regex + entropy
VNX-SEC-238TeamCity build agent authorization tokenHighkeyword + regex + entropy
VNX-SEC-239JFrog Pipelines integration tokenHighkeyword + regex + entropy
VNX-SEC-240GitHub Actions runner token (config.sh)Highkeyword + regex
VNX-SEC-241Gitea OAuth client secretHighkeyword + regex
VNX-SEC-242Travis CI Pro/Enterprise access token (legacy)Highkeyword + regex + entropy
VNX-SEC-243FluxCD GitRepository SSH private keyCriticalkeyword + regex
VNX-SEC-244Concourse fly target tokenHighkeyword + regex
VNX-SEC-245Cloudsmith entitlement token (cmVudA / ent_)Highkeyword + regex + entropy
VNX-SEC-246Octopus Deploy server API key (assignment)Highkeyword + regex
VNX-SEC-247Pulumi config passphraseHighkeyword + regex + entropy
VNX-SEC-248Drone CI machine/user token (legacy)Highkeyword + regex + entropy
VNX-SEC-249Gitee OAuth client secretHighkeyword + regex + entropy
VNX-SEC-250CircleCI context/environment token (assignment)Highkeyword + regex + entropy

Remediation

Rotate any exposed credential immediately, remove it from source, and load it from a secrets manager or environment variable instead. Purge it from git history with git filter-repo. See CWE-798 and the OWASP Secrets Management Cheat Sheet.