Ignore Secrets if not needed
Use case
FlyingDuck can detect over 150 types of secrets within the source code. In some cases, certain secrets may not be sensitive to the organization and can be ignored. You can exclude these secrets using the following three methods.
Ways to ignore
- Ignore secrets by Line
- Ignore secrets by File
- Ignore secrets by Type
Ignore secrets by Line
Description:
If you want to ignore a specific secret that is detected in the portal, then you can simply add a line just above the secret as # fd_secret_ignore. This will make sure the secret is scanned but not appeared in the portal results.
Note: If you are using languages that do not accept # as a comment symbol, use the appropriate comment symbol, followed by a space and then the label fd_secret_ignore.
Remediation:
# fd_secret_ignore
AWS Access Key ID = AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
In the above scenario the AWS Access Key ID will be ignored but the AWS Secret Access Key is detected and reported.
Ignore secrets by File
Description:
If you want to ignore a complete file from being scanned for secrets, then you can specify this file in the .fdignore.yaml file and that will take care of the rest.
Remediation:
-
Create a
.fdignore.yamlfile in the root directory of GitHub repository. -
Add the following lines into that file as many as needed.
secrets:
files:
- src/app/config.yaml
- src/components/broker.js-
If more files are needed, then add those file paths by following the above syntax.
-
If you would like to ignore a complete directory, then use regular expressions.
In this case all the file paths and directories listed in this file will be ignored by the agent for secret scanning, so that those secrets do not appear in the portal.
Ignore secrets by Type
Description:
If you want to ignore a specific secret type such as emails or usernames, then you can add those secret key names into the .fdignore.yaml file and that will skip reporting those secrets to the portal. Please refer to this for the complete list of secret names.
Remediation:
Create a .fdignore.yaml.
If it is already created, then add the following lines into that as needed.
secrets:
types:
- GITHUB_PAT
- CIRCLECI_ATIf more secret types are to be ignored, then add them by following the above given syntax.
Note: Make sure to use the exact secret key name as displayed in the list.
In this case all the mentioned secret types listed in the file will be ignored by the agent for those specific secrets and only reports the remaining secrets detected.
Secrets
In managing various applications and services, it's essential to handle secrets securely. Secrets include sensitive information such as API keys, access tokens, client IDs, and other credentials that are used to authenticate and authorize access to different services. Below are some examples of these secrets:
| Secret Names | Code |
|---|---|
| Abstract Key | ABSTRACT_KEY |
| Abbysale Key | ABBYSALE_KEY |
| Accuweather Key | ACCUWEATHER_KEY |
| Adafruitio Key | ADAFRUITIO_KEY |
| Adobe Client Secret | ADOBE_CLIENT_SECRET |
| Adobeio Id | ADOBEIO_ID |
| Adobeio Key | ADOBEIO_KEY |
| Adzuna Id | ADZUNA_ID |
| Adzuna Key | ADZUNA_KEY |
| Aero Workflow Key | AERO_WORKFLOW_KEY |
| Age secret key | AGE_SECRET_KEY |
| Aha Key | AHA_KEY |
| Air Visual Key | AIR_VISUAL_KEY |
| Airbrake Id | AIRBRAKE_ID |
| Airbrake Project Key | AIRBRAKE_PROJECT_KEY |
| Airbrake User Key | AIRBRAKE_USER_KEY |
| Airtable Api Key | AIRTABLE_API_KEY |
| Airship Key | AIRSHIP_KEY |
| Alchemy Key | ALCHEMY_KEY |
| Alconost Key | ALCONOST_KEY |
| Alegra Id | ALEGRA_ID |
| Alegra Key | ALEGRA_KEY |
| Aletheia API Key | ALETHEIA_API_KEY |
| Algolia Admin Key | ALGOLIA_ADMIN_KEY |
| Algolia Id | ALGOLIA_ID |
| Alibaba Id | ALIBABA_ID |
| Alibaba Key | ALIBABA_KEY |
| Apideck Key | APIDECK_KEY |
| Apifonica | APIFONICA |
| Apify Key | APIFY_KEY |
| Auth0 domain | AUTH0_DOMAIN |
| Auth0 domain 2 | AUTH0_DOMAIN_2 |
| AWS IAM ID | AWS_IAM_ID |
| Ayrshare Key | AYRSHARE_KEY |
| Beamer API token | BEAMER_API_TOKEN |
| Caflou Key | CAFLOU_KEY |
| Cashboard Key | CASHBOARD_KEY |
| CCavenue Access Code | CCAVENUE_ACCESS_CODE |
| CCavenue Encryption Key | CCAVENUE_ENCRYPTION_KEY |
| CCavenue merchant id | CCAVENUE_MERCHANT_ID |
| Checkout Id | CHECKOUT_ID |
| Checkout Key | CHECKOUT_KEY |
| CircleCI access tokens | CIRCLECI_AT |
| Clickhelp Server | CLICKHELP_SERVER |
| Clickup personal Token | CLICKUP_PT |
| Clojars API token | CLOJARS_API_TOKEN |
| CloseCRM Key | CLOSECRM_KEY |
| Column Key | COLUMN_KEY |
| Contentful Personal Access Token | CONTENTFUL_PAT |
| Courier Key | COURIER_KEY |
| Credit Card Number | CREDIT_CARD_NUMBER |
| Databricks API token | DATABRICKS_API_TOKEN |
| Datadog Application Key | DATADOG_APPLICATION_KEY |
| Deputy URL | DEPUTY_URL |
| Dfuse Key | DFUSE_KEY |
| Digital Ocean v2 | DIGITAL_OCEAN_V2 |
| Discord API key | DISCORD_API_KEY |
| Discord Bot Key | DISCORD_BOT_KEY |
| Discord client ID | DISCORD_CLIENT_ID |
| Discord client secret | DISCORD_CLIENT_SECRET |
| Ditto Key | DITTO_KEY |
| Documo Key | DOCUMO_KEY |
| Docker Access Token | DOCKER_AT |
| Docker Hub Personal Access Token | DOCKER_HUB_PAT |
| Doppler API token | DOPPLER_API_TOKEN |
| Dotmailer Key | DOTMAILER_KEY |
| Dropbox long lived API token | DROPBOX_LONG_LIVED_API_TOKEN |
| Duffel API token | DUFFEL_API_TOKEN |
| Dynatrace API token | DYNATRACE_API_TOKEN |
| EasyPost API token | EASYPOST_API_TOKEN |
| Email ID | EMAIL_ID |
| Everhour Key | EVERHOUR_KEY |
| Fleetbase Key | FLEETBASE_KEY |
| Flightlabs Key | FLIGHTLABS_KEY |
| Flutterwave encrypted key | FLUTTERWARE_ENCRYPTED_KEY |
| Flutterwave public key | FLUTTERWARE_PUBLIC_KEY |
| Flutterwave secret key | FLUTTERWARE_SECRET_KEY |
| Frame.io API token | FRAME_IO_API_TOKEN |
| GitHub Personal Access Token | GITHUB_PAT |
| GitLab Agent for Kubernetes token | GITLAB_AGENT_KUBERNETES_TOKEN |
| GitLab CI Build (Job) token | GITLAB_CI_BUILD_JOB_TOKEN |
| GitLab Deploy Token | GITLAB_DEPLOY_TOKEN |
| GitLab Feed token | GITLAB_FEED_TOKEN |
| GitLab Incoming email token | GITLAB_INCOMING_EMAIL_TOKEN |
| GitLab OAuth Application Secrets | GITLAB_OAUTH_APPLICATION_SECRETS |
| GitLab Personal Access Token | GITLAB_PAT |
| GitLab Pipeline Trigger Token | GITLAB_PIPELINE_TRIGGER_TOKEN |
| GitLab Runner Authentication Token | GITLAB_RUNNER_AT |
| GitLab Runner Registration Token | GITLAB_RUNNER_REGISTRATION_TOKEN |
| GitLab SCIM token | GITLAB_SCIM_TOKEN |
| GCP Access Key Id | GCP_ACCESS_KEY_ID |
| GCP OAuth client secret | GCP_OAUTH_CLIENT_SECRET |
| Google (GCP) Service-account | GOOGLE_GCP_SERVICE_ACCOUNT |
| Google Key | GOOGLE_KEY |
| Hashicorp Terraform user/org API token | HASHICORP_TERRAFORM_API_TOKEN |
| Hashicorp Vault batch token | HASHICORP_VAULT_BATCH_TOKEN |
| Hubspot Access Token | HUBSPOT_AT |
| Hubspot API token | HUBSPOT_API_TOKEN |
| Intercom API token | INTERCOM_API_TOKEN |
| Intercom client secret/ID | INTERCOM_CLIENT_SECRET_ID |
| Ionic API token | IONIC_API_TOKEN |
| Jfrog Token Id | JFROG_TOKEN_ID |
| JWT Token | JWT_TOKEN |
| Key | KEY |
| Linear API token | LINEAR_API_TOKEN |
| Lob API Key | LOB_API_KEY |
| Lob Publishable API Key | LOB_PUBLISHABLE_API_KEY |
| Mailchimp API key | MAILCHIMP_API_KEY |
| Mailgun private API token | MAILGUN_PRIVATE_API_TOKEN |
| Mailgun public validation key | MAILGUN_PUBLIC_VALIDATION_KEY |
| Mailgun webhook signing key | MAILGUN_WEBHOOK_SIGNING_KEY |
| Mapbox API token | MAPBOX_API_TOKEN |
| MessageBird API client ID | MESSAGEBIRD_API_CLIENT_ID |
| Meta access token | META_AT |
| New Relic ingest browser API token | NEW_RELIC_INGEST_BROWSER_API_TOKEN |
| New Relic user API Key | NEW_RELIC_USER_API_KEY |
| Newrelic Key | NEWRELIC_KEY |
| NPM access token | NPM_ACCESS_TOKEN |
| Oculus access token | OCULUS_AT |
| Open AI API key | OPENAI_API_KEY |
| Password | PASSWORD |
| Planetscale API token | PLANETSCALE_API_TOKEN |
| Planetscale password | PLANETSCALE_PASSWORD |
| Postman API token | POSTMAN_API_TOKEN |
| Pulumi API token | PULUMI_API_TOKEN |
| Razorpay Key Id | RAZORPAY_KEY_ID |
| Razorpay Key Secret | RAZORPAY_KEY_SECRET |
| Rubygem API token | RUBYGEM_API_TOKEN |
| Segment Public API token | SEGMENT_PUBLIC_API_TOKEN |
| Sendgrid API token | SENDGRID_API_TOKEN |
| Sendinblue API token | SENDINBLUE_API_TOKEN |
| Sendinblue SMTP token | SENDINBLUE_SMTP_TOKEN |
| Shippo API token | SHIPPO_API_TOKEN |
| Shopify access token | SHOPIFY_AT |
| Shopify custom app access token | SHOPIFY_CUSTOM_APP_AT |
| Shopify private app access token | SHOPIFY_PRIVATE_APP_AT |
| Shopify shared secret | SHOPIFY_SHARED_SECRET |
| Slack token | SLACK_TOKEN |
| Slack Webhook | SLACK_WEBHOOK |
| Stripe token | STRIPE_TOKEN |
| Tailscale key | TAILSCALE_KEY |
| Token | TOKEN |
| Twilio API Key | TWILIO_API_KEY |
| Twitter Access Token | TWITTER_AT |
| Twitter Access Token Secret | TWITTER_AT_SECRET |
| Twitter Consumer Key (API Key) | TWITTER_CONSUMER_API_KEY |
| Twitter Consumer Secret (API Secret) | TWITTER_CONSUMER_API_SECRET |
| Typeform API token | TYPEFORM_API_TOKEN |
| Username | USERNAME |
| Yandex.Cloud AWS API compatible Access Secret | YANDEX_CLOUD_AWS_API_ACCESS_SECRET |
| Yandex.Cloud IAM Cookie v1 | YANDEX_CLOUD_IAM_COOKIE_V1 |
| Yandex.Cloud IAM Cookie v2 | YANDEX_CLOUD_IAM_COOKIE_V2 |
| Yandex.Cloud IAM Cookie v3 | YANDEX_CLOUD_IAM_COOKIE_V3 |
| Zerobounce API Key | ZEROBOUNCE_API_KEY |