Issue classes
It would be much easier to call everything a secret. Instead, we introduce several secret issue classes based on the initial impact of their exposure. Although the classification will never be perfect, it will provide an initial understanding of their exposure risk and help to mitigate these risks by leaving them out of the code base, leading to a more responsible development.
- Cloud account: Cloud account credentials are one of the most dangerous tokens, allowing to manipulate with cloud account on your behalf, that includes, creating, deleting, altering used services and leading to unpredictable billing.
- Cloud storage: Cloud storage credentials allows to access to your cloud storage account and leads to information leakage or Supply Chain Attacks
- Access Token: Generic access tokens allows you to use 3rd party service on your behalf, access token often includes signature enabling quick verification of its claims.
- API key: an unsigned string allowing to access 3rd part service on your behalf
- AI service token: AI service token allows to use AI service on your behalf, note that monitoring of AI services may not be available at your provider.
- Private key: Private key of asymetric cryptography is PRIVATE binary secret used for secure encryption / decryption and authorization, its leakage can lead to exploiting security trust mechanism and allows threat actors digitally sign malicious code, pretend the fake website origin or access private systems on your behalf
- Certificate: Similarly to Private key a Certificate belongs to asymetric cryptography and it is used for client authentication instead of Access Tokens or API keys.
- .env: The .env files aggregates multiple secrets making it ideal target for threat actors. Presence of .env file with plain text secrets in production environment is a security hazard!