SQ34252
Detected presence of self-declared canary tokens.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
| None | pass | low | low | None | None |
About the issueโ
Service access tokens are considered sensitive information that should not be included in released software packages. However, application security specialists often intentionally include special service access tokens that serve as exposure canaries. They are used to alert the security team of malicious actors trying to gain unauthorized service access. Since these are not real access tokens, warnings about their presence in the software package can safely be suppressed. The list of canary tokens can be declared through policy configuration and other related settings.
How to resolve the issueโ
- Review the commonly shared sensitive information for evidence of inadvertently exposed secrets.
- If the tokens were published unintentionally and the software has been made public, you should revoke the tokens and file a security incident.
Incidence statisticsโ
Not relevant for this type of sensitive information.
Recommended readingโ
- Honeytoken (External resource - Wikipedia)
- Credential Canaries Create Minefield for Attackers (External resource - DarkReading)