SQ34252
Detected presence of self-declared canary tokens.
priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
---|---|---|---|---|---|
None | pass | low | low | None | None |
About the issueโ
Service access tokens are considered sensitive information that should not be included in released software packages. However, application security specialists often intentionally include special service access tokens that serve as exposure canaries. They are used to alert the security team of malicious actors trying to gain unauthorized service access. Since these are not real access tokens, warnings about their presence in the software package can safely be suppressed. The list of canary tokens can be declared through policy configuration and other related settings.
How to resolve the issueโ
- Review the commonly shared sensitive information for evidence of inadvertently exposed secrets.
- If the tokens were published unintentionally and the software has been made public, you should revoke the tokens and file a security incident.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Honeytoken (External resource - Wikipedia)
- Credential Canaries Create Minefield for Attackers (External resource - DarkReading)