VNX-SEC-036 – Heroku API Key

Overview

This rule detects Heroku API keys (v2 format) matching the HRKU-AA[0-9a-zA-Z_-]{58} pattern. Heroku API keys grant full account access including the ability to deploy applications, modify add-ons (e.g. Postgres, Redis), and read environment variables containing credentials.

Severity: Critical | CWE: CWE-798 – Use of Hard-coded Credentials

Why This Matters

A leaked Heroku API key is sufficient to push a malicious build to a production app, attach to the production database, and exfiltrate customer data. Because Heroku’s git push deploy model is git-based, the attacker can deploy without re-authentication if they have a key with deploy scope.

What Remediation

1. Regenerate the API key in the Heroku account settings.
2. Use platform API OAuth tokens for CI instead of long-lived API keys.
3. Store the new key in Heroku Config Vars or an external secrets manager.
4. Audit recent deploys in the Heroku activity log.
5. Purge from git history with git filter-repo and re-scan.

References

• Heroku API Authentication
• CWE-798: Use of Hard-coded Credentials
• gitleaks heroku-api-key-v2
• MITRE ATT&CK T1552.001