Table: code_secret
Detect, and verify if possible, secrets in a given source string.
Note: All queries to this table must provide the src
column.
Examples
Basic auth is detected
select secret_type, secret, line, colfrom code_secretwhere src = 'Text with a secret postgresql://user:secret@localhost:5432/mydb.'
Multiple secrets are matched, including AWS access keys
select secret_type, secret, line, colfrom code_secretwhere src = E 'AWS access keys should be detected:\n' '* AKIA4YFAKEKEYXTDS252\n* AKIA9YFBKFGZYZTW387K'
Secrets of multiple types
select secret_type, secret, authenticated, line, colfrom code_secretwhere src = E 'Mixed secrets are matched:\n' '* Slack: xoxp-5228148520-5228148525-1323104836872-10674849628c43b9d4b4660f7f9a7b65\n' '* AWS: AKIA4YFAKFKFYXTDS353\n' '* Replace and try <AWS_ACCESS_KEY>:<AWS_SECRET_KEY> \n' '* Basic auth: https://joe:passwd123@example.com/secret' '* Github Personal Access Token: 45ab6f911111f9f376a5b52c25d22113f2b45fa1' '* Okta Token: 00Am7B2M_U-63q_Ppd6tDzAbBOkvcCht-kDG-baM7t' '* Stripe Api Key: sk_live_tR3PYbcVNZZ796tH88S4VQ2u' '* Azure Storage Account Key: mllhBNrG467B7Q5iT+ePFr6eLCE24ij9vT/fCeckOunfqzoGm8k5X9vKCphDaO81gmuzr89ldN+gKB0vlEHahg=='
Detect secrets in AWS EC2 instance user data (requires AWS plugin)
select instance_id, region as instance_region, secret_type, secret, authenticated, line, colfrom code_secret, aws_ec2_instancewhere src = user_data;
Detect secrets in AWS CloudFormation stack template body (requires AWS plugin)
select id as stack_id, name as stack_name, region as stack_region, secret_type, secret, authenticated, line, colfrom code_secret, aws_cloudformation_stackwhere src = template_body;
.inspect code_secret
Detect, and verify if possible, secrets in a given source string.
Name | Type | Description |
---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. |
authenticated | text | Authentication status of the secret. Valid values are "authenticated", "unauthenticated", "not_implemented", and "unknown". |
col | bigint | Column on the line of the first character of the secret string. |
end_offset | bigint | Offset of the last character of the secret string. |
line | bigint | Line number of the first character of the secret string. |
secret | text | Secret string. |
secret_type | text | Secret type. |
src | text | The source code to scan. |
start_offset | bigint | Offset of the first character of the secret string. |