Protect your organization by detecting hardcoded credentials, API keys, and tokens in source code. Secrets scanning prevents credential theft and lateral movement by closing security gaps from development to production. Centralize, prioritize, and remediate all detected risks to ensure total SLA compliance.
Secrets scanners safeguard your organization by identifying hardcoded credentials, such as API keys, access tokens, private keys, and passwords, embedded in source code, configuration files, and Git history. By detecting exposed secrets at code-time, the secrets scanner closes the gap between development practices and production-time security posture, preventing credential theft, unauthorized access, and lateral movement from silently propagating into live environments.
The Secrets page consolidates all scanner-detected secrets issues across monitored repositories into a single view where you can prioritize, investigate, remediate, and track SLA compliance.
Detection Capabilities
Supported file types
Cortex Cloud Application Security scans any plaintext files that are not encrypted, not compressed (for example, not .zip files) and not compiled (for example, not .jar files), for secrets. Additionally, entropy findings look for keywords to lower the noise, and those keywords must be in line with the high entropy string to be flagged.
Entropy Analysis
Cortex Cloud Application Security provides signatures that analyze the randomness of strings within the file. Highly random strings, often referred to as high entropy, can be indicative of a potential secret. To reduce false positives, Cortex Cloud Application Security considers specific keywords that might be associated with secrets alongside the randomness of the data for better accuracy.
Core achievements and use cases
Shifting security left and developer integration: Detecting hardcoded secrets at code-time, before credentials are exploited, reduces the cost and risk of post-incident credential rotation. Secrets scans identify and flag critical issues such as exposed API keys, access tokens, private keys, and database credentials directly within source code and configuration files across monitored repositories. This scanning integrates seamlessly into development workflows, allowing developers to detect findings locally via the Cortex CLI or IDE plugins
compute.instances.setLabels
Sets labels on VM instances. Cortex uses this permission to tag instances during automation workflows, such as marking compromised instances or tracking remediation status.
compute.instances.setMetadata
Functional responsibilities
The secrets management workflow facilitates a structured delegation model between Governance and Operations:
AppSec managers (Governance): Review trends across accounts, resource types, and repositories to identify systemic governance failures. Define detection policies that enforce security compliance baselines. Prioritize remediation based on urgency, severity, and the security impact of the exposure
AppSec Practitioners (Operations): Triage and remediate secrets findings by rotating exposed credentials, updating configurations, or escalating persistent risks to Cases for cross-team coordination. Track resolution progress through resolution statuses and SLA compliance
Prerequisites
Prerequisite | Description |
|---|---|
License | An active Cortex Cloud license with Application Security add-on entitlements |
RBAC Role | The AppSec Admin or SOC Analyst role, or an equivalent custom role with issue management permissions |
VCS Integration | At least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active |
Secrets Scanner | The secrets scanner enabled for the target repositories |
Periodic or PR Scan | At least one completed periodic scan or PR scan that includes secrets scanning results |