VNX-SEC-072 – Generic High-Entropy API Key / Secret

Overview

This rule detects generic high-entropy api key / secret matching the (api_key|secret|token|password)\s*[:=]\s*[A-Za-z0-9+/=_-]{32,} pattern hardcoded anywhere in source files. Detects high-entropy strings assigned to variables whose name contains a credential keyword (api_key, secret, token, password, etc.).

Severity: High | CWE: CWE-798 – Use of Hard-coded Credentials

Why This Matters

Hardcoded generic high-entropy api key / secret values are routinely scraped by automated bots within minutes of a public push, and then used to access the account, exfiltrate data, or pivot into downstream services. Once the credential is in git history it is permanently in third-party hands.

Remediation

1. Revoke the leaked credential in the provider’s console immediately.
2. Replace with a short-lived alternative — OAuth 2.0 access tokens, IAM role assumption, OIDC federation — wherever the platform supports it.
3. Store the new credential in a secrets manager (AWS Secrets Manager, HashiCorp Vault, GitHub Actions secrets, Doppler).
4. Audit the provider’s access logs for activity you did not initiate between the leak and the revocation.
5. Purge from git history with git filter-repo or BFG, then re-scan with gitleaks/truffleHog to confirm no other secrets remain.
6. Enable push protection so future commits are blocked at the developer machine.

References

• CWE-798: Use of Hard-coded Credentials
• gitleaks
• truffleHog
• OWASP Credentials Management Cheat Sheet
• MITRE ATT&CK T1552.001 – Credentials In Files
• git-filter-repo