Skip to main content

SQ34252

Detected presence of self-declared canary tokens.

priorityCI/CD statusseverityeffortSAFE levelSAFE assessment
NonepasslowlowNoneNone

About the issueโ€‹

Service access tokens are considered sensitive information that should not be included in released software packages. However, application security specialists often intentionally include special service access tokens that serve as exposure canaries. They are used to alert the security team of malicious actors trying to gain unauthorized service access. Since these are not real access tokens, warnings about their presence in the software package can safely be suppressed. The list of canary tokens can be declared through policy configuration and other related settings.

How to resolve the issueโ€‹

  • Review the commonly shared sensitive information for evidence of inadvertently exposed secrets.
  • If the tokens were published unintentionally and the software has been made public, you should revoke the tokens and file a security incident.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.

This section is updated when new data becomes available.

Total amount of packages analyzed

  • RubyGems: 183K
  • Nuget: 644K
  • PyPi: 628K
  • NPM: 3.72M
Statistics are not collected for the SQ34252 policy at this time, or not applicable to this type of issue.