@@ -148,131 +148,6 @@ func runScanner(sc Scanner) (result models.ScanResult) {
148148 return sc .Scan ()
149149}
150150
151- // K8SProdPatterns is the set of substrings that identify a Kubernetes context as production.
152- var K8SProdPatterns = []string {"prod" , "production" , "prd" , "live" }
153-
154- // HighRiskEnvKeys is the set of environment variable names that indicate
155- // high-value credentials are present in the shell. Values are NEVER read or logged;
156- // only the key name is used.
157- var HighRiskEnvKeys = map [string ]bool {
158- // AI / ML inference
159- "OPENAI_API_KEY" : true ,
160- "ANTHROPIC_API_KEY" : true ,
161- "COHERE_API_KEY" : true ,
162- "MISTRAL_API_KEY" : true ,
163- "REPLICATE_API_KEY" : true ,
164- "HUGGINGFACE_TOKEN" : true ,
165- "HF_TOKEN" : true , // Hugging Face canonical short name (used by huggingface-hub)
166- "TOGETHER_API_KEY" : true ,
167- "GROQ_API_KEY" : true ,
168- "VOYAGE_API_KEY" : true ,
169- "ELEVEN_LABS_API_KEY" : true ,
170- "PINECONE_API_KEY" : true ,
171- "STABILITY_API_KEY" : true , // Stability AI — pay-per-image generation
172- "WANDB_API_KEY" : true , // Weights & Biases — model/experiment data
173- "TAVILY_API_KEY" : true , // Tavily search — widely used in LangChain/LangGraph agents
174- "LANGCHAIN_API_KEY" : true , // LangSmith tracing (LangChain ecosystem)
175- "AZURE_OPENAI_API_KEY" : true , // Azure OpenAI — distinct from service principal creds
176- "FAL_KEY" : true , // fal.ai — GPU inference, financial risk
177- "NVIDIA_API_KEY" : true , // NVIDIA NIM — enterprise GPU inference
178-
179- // Cloud: env-based credentials
180- "AWS_ACCESS_KEY_ID" : true ,
181- "AWS_SECRET_ACCESS_KEY" : true ,
182- "AWS_SESSION_TOKEN" : true ,
183- "GOOGLE_APPLICATION_CREDENTIALS" : true ,
184- "AZURE_CLIENT_SECRET" : true ,
185- "AZURE_CLIENT_ID" : true ,
186- "AZURE_TENANT_ID" : true ,
187-
188- // Secrets managers (key to all other secrets)
189- "VAULT_TOKEN" : true , // HashiCorp Vault — grants access to all managed secrets
190- "OP_SERVICE_ACCOUNT_TOKEN" : true , // 1Password Connect service account
191- "OP_CONNECT_TOKEN" : true , // 1Password Connect API token
192- "INFISICAL_TOKEN" : true , // Infisical secrets manager
193-
194- // Source control & CI/CD
195- "GITHUB_TOKEN" : true ,
196- "GITLAB_TOKEN" : true ,
197- "BITBUCKET_APP_PASSWORD" : true ,
198- "NPM_TOKEN" : true ,
199- "PYPI_API_TOKEN" : true ,
200- "CIRCLE_TOKEN" : true , // CircleCI — CI supply chain attack surface
201-
202- // Payment
203- "STRIPE_SECRET_KEY" : true ,
204- "BRAINTREE_PRIVATE_KEY" : true ,
205- "PAYPAL_CLIENT_SECRET" : true ,
206- "SQUARE_ACCESS_TOKEN" : true ,
207- "ADYEN_API_KEY" : true , // Adyen — enterprise e-commerce payments
208- "RAZORPAY_KEY_SECRET" : true , // Razorpay — dominant in South/SE Asia
209- "MOLLIE_API_KEY" : true , // Mollie — dominant in EU
210- "PADDLE_API_KEY" : true , // Paddle — SaaS billing
211-
212- // Messaging & comms (can exfiltrate data or send spam at scale)
213- "TWILIO_AUTH_TOKEN" : true ,
214- "SENDGRID_API_KEY" : true ,
215- "MAILGUN_API_KEY" : true ,
216- "SLACK_BOT_TOKEN" : true ,
217- "DISCORD_BOT_TOKEN" : true ,
218- "VONAGE_API_SECRET" : true , // Vonage/Nexmo — SMS/voice telephony
219- "KLAVIYO_API_KEY" : true , // Klaviyo — e-commerce email, customer PII
220- "MAILCHIMP_API_KEY" : true , // Mailchimp — customer lists, PII
221- "CUSTOMERIO_API_KEY" : true , // Customer.io — behavioral marketing, PII
222- "BREVO_API_KEY" : true , // Brevo (Sendinblue) — EU email, PII
223-
224- // Identity & auth
225- "OKTA_API_TOKEN" : true ,
226- "AUTH0_CLIENT_SECRET" : true ,
227- "CLERK_SECRET_KEY" : true , // Clerk — popular Next.js auth, auth bypass risk
228- "WORKOS_API_KEY" : true , // WorkOS — enterprise SSO
229-
230- // Observability
231- "DATADOG_API_KEY" : true ,
232- "SENTRY_AUTH_TOKEN" : true ,
233- "NEW_RELIC_LICENSE_KEY" : true , // New Relic — APM data, log exfil
234- "NEW_RELIC_API_KEY" : true , // New Relic user/account API key
235- "GRAFANA_API_KEY" : true , // Grafana Cloud
236- "GRAFANA_TOKEN" : true , // Grafana Cloud access policy token
237- "HONEYCOMB_API_KEY" : true , // Honeycomb — trace data
238-
239- // Cloud / hosting / IaC
240- "VERCEL_TOKEN" : true ,
241- "NETLIFY_AUTH_TOKEN" : true ,
242- "CLOUDFLARE_API_TOKEN" : true ,
243- "HEROKU_API_KEY" : true ,
244- "RAILWAY_TOKEN" : true ,
245- "FLY_API_TOKEN" : true ,
246- "DIGITALOCEAN_TOKEN" : true , // DigitalOcean — full infra control
247- "DO_API_TOKEN" : true , // DigitalOcean alternative env var name
248- "LINODE_TOKEN" : true , // Linode/Akamai — full infra control
249- "RENDER_API_KEY" : true , // Render — deploy platform access
250- "PULUMI_ACCESS_TOKEN" : true , // Pulumi — IaC state = all infra secrets
251- "TFE_TOKEN" : true , // Terraform Cloud — IaC state
252- "CLOUDINARY_API_SECRET" : true , // Cloudinary — media storage
253-
254- // Databases (connection strings often embed credentials)
255- "DATABASE_URL" : true ,
256- "MONGODB_URI" : true ,
257- "REDIS_URL" : true ,
258- "MONGODB_ATLAS_PRIVATE_KEY" : true , // MongoDB Atlas admin API (separate from connection string)
259- "TURSO_AUTH_TOKEN" : true , // Turso — SQLite-at-edge DB access
260- "UPSTASH_REDIS_REST_TOKEN" : true , // Upstash — serverless Redis/Kafka
261- "ELASTIC_API_KEY" : true , // Elasticsearch — data exfil risk
262- "ELASTIC_CLOUD_API_KEY" : true , // Elastic Cloud management API
263-
264- // CRM / e-commerce / dev tools
265- "ATLASSIAN_API_TOKEN" : true , // Atlassian/Jira — project data, PII
266- "JIRA_API_TOKEN" : true , // Jira alternative env var
267- "HUBSPOT_ACCESS_TOKEN" : true , // HubSpot CRM — customer PII + sales data
268- "SALESFORCE_CLIENT_SECRET" : true , // Salesforce — enterprise CRM
269- "SHOPIFY_API_SECRET_KEY" : true , // Shopify — store orders, customer PII
270- "ZENDESK_API_TOKEN" : true , // Zendesk — customer support PII
271- "INTERCOM_ACCESS_TOKEN" : true , // Intercom — customer chat PII
272- "SEGMENT_WRITE_KEY" : true , // Segment — all customer behavioral events
273- "ALGOLIA_API_KEY" : true , // Algolia — search index admin access
274- }
275-
276151// Summarise computes a Summary from a slice of ScanResults.
277152// UNCERTAIN findings contribute to the uncertain count but not to findings_total,
278153// since they represent incomplete checks rather than confirmed findings.
0 commit comments