Secrets Security

A full-stack, multidimensional approach to finding and securing exposed and vulnerable secrets across all files in your repositories and CI/CD pipelines.

Developers use secrets to enable their applications to securely communicate with other cloud services. Storing secrets in a file in version control systems (VCS) like GitHub is not secure, creating potential vulnerabilities that can be exploited. This often happens when developers leave their secrets in the source code. Once a secret is committed into a repo, it is saved in its history, and any user can easily access those keys. This is especially risky if the repo contents are made public, making that resource easily found and utilized by threat actors.

Most tools only selectively scan for secrets at just one phase of the application lifecycle and can miss certain types of secrets altogether. Prisma® Cloud can ensure no secret is accidentally exposed while minimizing false positives and maintaining development velocity.

Prisma Cloud makes it seamless for developers to prevent exposed secrets in build and runtime.

By integrating into DevOps tools and across code, build, deploy, and runtime, Prisma Cloud continuously scans for exposed secrets across the entire development lifecycle. With a powerful multidimensional approach that combines both a signature-based policy library and a fine-tuned entropy model, Prisma Cloud identifies secrets in nearly any file type, from IaC templates, golden images, and Git repositories.
  • Multiple detection methods identify complex secrets like random strings or passwords.
  • Risk factors provide context for secrets to streamline prioritization and remediation.
  • Natively integrated into developer tools and workflows.
  • 100+ signature library.
    100+ signature library.
  • Fine-tuned entropy model.
    Fine-tuned entropy model.
  • Supply chain visualization.
    Supply chain visualization.
  • Broad coverage.
    Broad coverage.
  • Detection pre-commit in VCS and CI pipelines.
    Detection pre-commit in VCS and CI pipelines.
  • Detection in running workloads and apps.
    Detection in running workloads and apps.

The Prisma Cloud Solution

A Developer-First, Multidimensional Approach to Secrets Security

Precise detection

Secrets using regular expressions (access tokens, API keys, encryption keys, OAuth tokens, certificates, etc.) are the most commonly identified. Prisma Cloud leverages over 100 signatures to detect and alert on the wide array of secrets with known, predictable expressions.

  • Vast coverage

    100+ domain-specific secret detectors ensure precise alerting in both build and runtime.

  • Broad and deep scanning

    Scan for secrets in all files in your repositories and the version histories across your integrations.

Precise detection

Fine-tuned entropy model

Not all secrets are consistent or identifiable patterns. For example, random string usernames and passwords wouldn't be detected by signature based methods because they're random, potentially leaving “keys to the kingdom” exposed and publicly accessible. Prisma Cloud augments signature-based detection with a fine-tuned entropy model.

  • Fine-tuned entropy model

    Eliminate false positives with a fine-tuned entropy model that leverages string context to precisely identify complex secret types.

  • Unrivaled visibility

    Gain comprehensive visibility and control across the vast landscape of secrets used by cloud developers.

Fine-tuned entropy model

Developer feedback

Developers can analyze risks associated with exposed or vulnerable secrets in a few different ways:

  • Projects

    Native integrations in dev workflows and seamlessly surface detected secrets within a file that is non-compliant.

  • Supply chain

    The Supply Chain Graph displays the source code file nodes. A detailed investigation into the dependency tree helps developers identify the root cause of secret exposure.

  • Pull request comments

    Users can spot potentially leaked secrets as part of their pull request scans, which can be easily removed.

  • Pre-Commit hooks and CI integrations

    Leverage the pre-commit hook to block secrets from being pushed to a repository before a pull request is opened.

Developer feedback

Part of the CNAPP

The only way to ensure complete coverage when securing cloud-native applications is to embed secrets scanning at each layer and step of the development lifecycle. The Prisma Cloud Secrets module can be activated with a single click and is just one component of the industry's most comprehensive cloud-native application protection platform.

  • Identify secrets across the supply chain

    Check for exposed secrets across repos like GitHub and registries such as Docker, Quay, Artifactory and others.

  • Prevent exposed secrets in runtime

    Leverage holistic visibility from Code to CloudTM and identify exposed secrets in running workloads and cloud resources with runtime policies.

  • Agentless Secrets Scanning

    Search for secrets hidden within running and non-running workloads across all major cloud service providers such as AWS, GCP, Azure, and OCI without deploying agents.

  • Unparalleled Coverage

    Conduct searches for secrets throughout the entire filesystem and wide range of secret types, including application keys, private keys, passwords, API tokens, configuration files, cloud keys, and credentials for all CSPs.

Part of the CNAPP

Code Security modules


Automated IaC security embedded in developer workflows


Context-aware open source security and license compliance


Graph-based CI/CD security for application development environments


Full-stack, multidimensional secrets scanning across repos and pipelines.

Featured Resources

Valuable Code Security documents