Supported secrets | Fluid Attacks Help

Supported secrets

Supported

Currently, these are the secrets Fluid Attacks can detect:
  1. API keys
  2. AWS credentials
  3. Database connection passwords
  4. Express-session secrets
  5. Hardcoded emails (in security-related contexts)
  6. Hardcoded environment variables (e.g., api_keypasswordsecret)
  7. Hardcoded secrets in cryptographic calls
  8. Initialization vectors
  9. JWT
  10. Private keys
  11. RSA keys
  12. Salts
  13. SonarQube tokens and passwords (in identifiable fields)
  14. SSH keys
  15. Symmetric keys
  16. Other attack vectors and secrets exploitability obtained manually (only in the Advanced plan)

Unsupported

Fluid Attacks' secret support does not currently include the following:
  1. Access tokens
  2. Azure secrets
  3. Cloud provider secrets
  4. Cloud storage keys
  5. Firebase secrets
  6. GCP credentials
  7. Generic secrets
  8. GitHub tokens
  9. GitHub personal access tokens (PATs)
  10. Google Service Account keys
  11. HTTP basic auth params
  12. Kubernetes secrets
  13. MFA tokens
  14. OAuth tokens
  15. Payment processor API keys
  16. PGP secret keys
  17. Sensitive configuration files
  18. Slack tokens
  19. Webhook URLs
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.