@@ -156,18 +156,25 @@ var K8SProdPatterns = []string{"prod", "production", "prd", "live"}
156156// only the key name is used.
157157var HighRiskEnvKeys = map [string ]bool {
158158 // AI / ML inference
159- "OPENAI_API_KEY" : true ,
160- "ANTHROPIC_API_KEY" : true ,
161- "COHERE_API_KEY" : true ,
162- "MISTRAL_API_KEY" : true ,
163- "REPLICATE_API_KEY" : true ,
164- "HUGGINGFACE_TOKEN" : true ,
165- "HF_TOKEN" : true , // Hugging Face canonical short name (used by huggingface-hub)
166- "TOGETHER_API_KEY" : true ,
167- "GROQ_API_KEY" : true ,
168- "VOYAGE_API_KEY" : true ,
169- "ELEVEN_LABS_API_KEY" : true ,
170- "PINECONE_API_KEY" : true ,
159+ "OPENAI_API_KEY" : true ,
160+ "ANTHROPIC_API_KEY" : true ,
161+ "COHERE_API_KEY" : true ,
162+ "MISTRAL_API_KEY" : true ,
163+ "REPLICATE_API_KEY" : true ,
164+ "HUGGINGFACE_TOKEN" : true ,
165+ "HF_TOKEN" : true , // Hugging Face canonical short name (used by huggingface-hub)
166+ "TOGETHER_API_KEY" : true ,
167+ "GROQ_API_KEY" : true ,
168+ "VOYAGE_API_KEY" : true ,
169+ "ELEVEN_LABS_API_KEY" : true ,
170+ "PINECONE_API_KEY" : true ,
171+ "STABILITY_API_KEY" : true , // Stability AI — pay-per-image generation
172+ "WANDB_API_KEY" : true , // Weights & Biases — model/experiment data
173+ "TAVILY_API_KEY" : true , // Tavily search — widely used in LangChain/LangGraph agents
174+ "LANGCHAIN_API_KEY" : true , // LangSmith tracing (LangChain ecosystem)
175+ "AZURE_OPENAI_API_KEY" : true , // Azure OpenAI — distinct from service principal creds
176+ "FAL_KEY" : true , // fal.ai — GPU inference, financial risk
177+ "NVIDIA_API_KEY" : true , // NVIDIA NIM — enterprise GPU inference
171178
172179 // Cloud: env-based credentials
173180 "AWS_ACCESS_KEY_ID" : true ,
@@ -178,44 +185,92 @@ var HighRiskEnvKeys = map[string]bool{
178185 "AZURE_CLIENT_ID" : true ,
179186 "AZURE_TENANT_ID" : true ,
180187
188+ // Secrets managers (key to all other secrets)
189+ "VAULT_TOKEN" : true , // HashiCorp Vault — grants access to all managed secrets
190+ "OP_SERVICE_ACCOUNT_TOKEN" : true , // 1Password Connect service account
191+ "OP_CONNECT_TOKEN" : true , // 1Password Connect API token
192+ "INFISICAL_TOKEN" : true , // Infisical secrets manager
193+
181194 // Source control & CI/CD
182195 "GITHUB_TOKEN" : true ,
183196 "GITLAB_TOKEN" : true ,
184197 "BITBUCKET_APP_PASSWORD" : true ,
185198 "NPM_TOKEN" : true ,
186199 "PYPI_API_TOKEN" : true ,
200+ "CIRCLE_TOKEN" : true , // CircleCI — CI supply chain attack surface
187201
188202 // Payment
189203 "STRIPE_SECRET_KEY" : true ,
190204 "BRAINTREE_PRIVATE_KEY" : true ,
191205 "PAYPAL_CLIENT_SECRET" : true ,
192206 "SQUARE_ACCESS_TOKEN" : true ,
193-
194- // Messaging & comms (can exfiltrate data at scale)
195- "TWILIO_AUTH_TOKEN" : true ,
196- "SENDGRID_API_KEY" : true ,
197- "MAILGUN_API_KEY" : true ,
198- "SLACK_BOT_TOKEN" : true ,
199- "DISCORD_BOT_TOKEN" : true ,
207+ "ADYEN_API_KEY" : true , // Adyen — enterprise e-commerce payments
208+ "RAZORPAY_KEY_SECRET" : true , // Razorpay — dominant in South/SE Asia
209+ "MOLLIE_API_KEY" : true , // Mollie — dominant in EU
210+ "PADDLE_API_KEY" : true , // Paddle — SaaS billing
211+
212+ // Messaging & comms (can exfiltrate data or send spam at scale)
213+ "TWILIO_AUTH_TOKEN" : true ,
214+ "SENDGRID_API_KEY" : true ,
215+ "MAILGUN_API_KEY" : true ,
216+ "SLACK_BOT_TOKEN" : true ,
217+ "DISCORD_BOT_TOKEN" : true ,
218+ "VONAGE_API_SECRET" : true , // Vonage/Nexmo — SMS/voice telephony
219+ "KLAVIYO_API_KEY" : true , // Klaviyo — e-commerce email, customer PII
220+ "MAILCHIMP_API_KEY" : true , // Mailchimp — customer lists, PII
221+ "CUSTOMERIO_API_KEY" : true , // Customer.io — behavioral marketing, PII
222+ "BREVO_API_KEY" : true , // Brevo (Sendinblue) — EU email, PII
200223
201224 // Identity & auth
202225 "OKTA_API_TOKEN" : true ,
203226 "AUTH0_CLIENT_SECRET" : true ,
204-
205- // Observability & infra
206- "DATADOG_API_KEY" : true ,
207- "SENTRY_AUTH_TOKEN" : true ,
208- "VERCEL_TOKEN" : true ,
209- "NETLIFY_AUTH_TOKEN" : true ,
210- "CLOUDFLARE_API_TOKEN" : true ,
211- "HEROKU_API_KEY" : true ,
212- "RAILWAY_TOKEN" : true ,
213- "FLY_API_TOKEN" : true ,
227+ "CLERK_SECRET_KEY" : true , // Clerk — popular Next.js auth, auth bypass risk
228+ "WORKOS_API_KEY" : true , // WorkOS — enterprise SSO
229+
230+ // Observability
231+ "DATADOG_API_KEY" : true ,
232+ "SENTRY_AUTH_TOKEN" : true ,
233+ "NEW_RELIC_LICENSE_KEY" : true , // New Relic — APM data, log exfil
234+ "NEW_RELIC_API_KEY" : true , // New Relic user/account API key
235+ "GRAFANA_API_KEY" : true , // Grafana Cloud
236+ "GRAFANA_TOKEN" : true , // Grafana Cloud access policy token
237+ "HONEYCOMB_API_KEY" : true , // Honeycomb — trace data
238+
239+ // Cloud / hosting / IaC
240+ "VERCEL_TOKEN" : true ,
241+ "NETLIFY_AUTH_TOKEN" : true ,
242+ "CLOUDFLARE_API_TOKEN" : true ,
243+ "HEROKU_API_KEY" : true ,
244+ "RAILWAY_TOKEN" : true ,
245+ "FLY_API_TOKEN" : true ,
246+ "DIGITALOCEAN_TOKEN" : true , // DigitalOcean — full infra control
247+ "DO_API_TOKEN" : true , // DigitalOcean alternative env var name
248+ "LINODE_TOKEN" : true , // Linode/Akamai — full infra control
249+ "RENDER_API_KEY" : true , // Render — deploy platform access
250+ "PULUMI_ACCESS_TOKEN" : true , // Pulumi — IaC state = all infra secrets
251+ "TFE_TOKEN" : true , // Terraform Cloud — IaC state
252+ "CLOUDINARY_API_SECRET" : true , // Cloudinary — media storage
214253
215254 // Databases (connection strings often embed credentials)
216- "DATABASE_URL" : true ,
217- "MONGODB_URI" : true ,
218- "REDIS_URL" : true ,
255+ "DATABASE_URL" : true ,
256+ "MONGODB_URI" : true ,
257+ "REDIS_URL" : true ,
258+ "MONGODB_ATLAS_PRIVATE_KEY" : true , // MongoDB Atlas admin API (separate from connection string)
259+ "TURSO_AUTH_TOKEN" : true , // Turso — SQLite-at-edge DB access
260+ "UPSTASH_REDIS_REST_TOKEN" : true , // Upstash — serverless Redis/Kafka
261+ "ELASTIC_API_KEY" : true , // Elasticsearch — data exfil risk
262+ "ELASTIC_CLOUD_API_KEY" : true , // Elastic Cloud management API
263+
264+ // CRM / e-commerce / dev tools
265+ "ATLASSIAN_API_TOKEN" : true , // Atlassian/Jira — project data, PII
266+ "JIRA_API_TOKEN" : true , // Jira alternative env var
267+ "HUBSPOT_ACCESS_TOKEN" : true , // HubSpot CRM — customer PII + sales data
268+ "SALESFORCE_CLIENT_SECRET" : true , // Salesforce — enterprise CRM
269+ "SHOPIFY_API_SECRET_KEY" : true , // Shopify — store orders, customer PII
270+ "ZENDESK_API_TOKEN" : true , // Zendesk — customer support PII
271+ "INTERCOM_ACCESS_TOKEN" : true , // Intercom — customer chat PII
272+ "SEGMENT_WRITE_KEY" : true , // Segment — all customer behavioral events
273+ "ALGOLIA_API_KEY" : true , // Algolia — search index admin access
219274}
220275
221276// Summarise computes a Summary from a slice of ScanResults.
0 commit comments