The Infisical Secret Scanner allows you to keep an overview and stay alert of exposed secrets across your entire GitHub organization and repositories.

To further enhance security, we recommend you also use our CLI Secret Scanner to scan for exposed secrets prior to pushing your changes.

Code Scanning

Secret scans are built on event-driven architecture. This means that every time a push is made to one of your selected repositories, Infisical will scan the modified files for any exposed secrets.

If one or more exposed secrets are detected, it will be displayed in your Infisical dashboard. An exposed secret is known as a “Risk”. Each risk has the following data associated with it:

  • Date: When the risk was first detected.
  • Secret Type: Which type of secret was detected.
  • Info: Information about the secret, such as the repository, file name, and the committer who made the change.

Once an exposed secret is detected, all organization admins will be sent an e-mail notification containing details about the exposed secret.

Each risk also contains a “View Exposed Secret” button, which will take you directly to the GitHub commit and to the line where the secret was exposed.

Responding to Exposed Secrets

After an exposed secret is detected, it will be marked as Needs Attention. When there are risks marked as needs attention, it’s important to address them as soon as possible.

You can mark the risk as Resolved by changing the status to one of the following states:

  • This Is a False Positive: The secret was not exposed, but was detected by the scanner.
  • I Have Rotated The Secret: The secret was exposed, but it has now been removed.
  • No Rotation Needed: You are choosing to ignore this risk. You may choose to do this if the risk is non-sensitive or otherwise not a security risk.

Ignoring Known Secrets

If you’re intentionally committing a test secret that the secret scanner might flag, you can instruct Infisical to overlook that secret with the methods listed below.

infisical-scan:ignore

To ignore a secret contained in line of code, simply add infisical-scan:ignore at the end of the line as comment in the given programming.

example.js
function helloWorld() {
    console.log("8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"); // infisical-scan:ignore
}

.infisicalignore

An alternative method to exclude specific findings involves creating a .infisicalignore file at your repository’s root. You can then add the fingerprints of the findings you wish to exclude. The Infisical scan report provides a unique Fingerprint for each secret found. By incorporating these Fingerprints into the .infisicalignore file, Infisical will skip the corresponding secret findings in subsequent scans.

.infisicalignore
bea0ff6e05a4de73a5db625d4ae181a015b50855:frontend/components/utilities/attemptLogin.js:stripe-access-token:147
bea0ff6e05a4de73a5db625d4ae181a015b50855:backend/src/json/integrations.json:generic-api-key:5
1961b92340e5d2613acae528b886c842427ce5d0:frontend/components/utilities/attemptLogin.js:stripe-access-token:148

Was this page helpful?

Suggest editsRaise issue
Secret SharingEmail and Password