Detecting Secrets


After 31st July 2024, this page would permanently be moved to a new location. You can access this page from a new URL which is present here. If you have saved or bookmarked the current URL, kindly update it with the new URL, since there will be no 301 redirect from the current URL to the new URL.

Leaked secrets, such as credentials needed to authenticate and authorize a cloud provider’s API request, expose company software, services, infrastructure, and data to hackers.

Nightfall has developed technology to detect secrets and label findings to speed SecOPs workflows from being clogged and eliminate false positive alerts.

Overall Coverage

Nightfall uses Machine Learning models trained on a large (millions of lines of code) diverse dataset (includes all programming languages and application types) to ensure best-in-class secret detection accuracy and coverage.

Explicit Labeling and Endpoint Validation for Popular Services

For a growing set of the most popular services, Nightfall will:

  • label detected secrets by vendor and service type (returned the kind field of the response)
  • label detected secrets as active risks by validating supported credential types with their associated service endpoints (returned as the status of the service)

Our current solution supports the following vendors covering a diverse set of use cases, including cloud storage/infrastructure, communication, social networks, software development, banking, observability, and payment processing.

This list is not static and will continue to grow as we add support for detecting API keys from additional services. If you are interested in detecting API keys from a service not listed below, please contact us.

  • AWS
  • Azure
  • Confluence
  • Confluent
  • Datadog
  • ElasticSearch
  • Facebook
  • GCP (New)
  • Google API
  • GitHub
  • GitLab
  • JIRA
  • JWT (New)
  • Nightfall
  • Notion (New)
  • Okta
  • Paypal
  • Plaid
  • Postmark (New)
  • Postman (New)
  • RapidAPI (New)
  • Salesforce
  • Sendgrid (New)
  • Slack
  • Snyk (New)
  • Splunk
  • Square
  • Stripe
  • Twitter
  • Twilio
  • Zapier
  • Key Detection Example

    Below is an example of how an AWS Key would be shown in a finding.

      "finding": "zImaKNJJ8u/seIbm1UszokVz3SSARukJs6cghEBXD",
      "detector": {
        "name": "API key",
        "uuid": "0e95732f-bc5c-448f-9d15-bd1417177360"
      "confidence": "VERY_LIKELY",
      "findingMetadata": {
        "apiKeyMetadata": {
          "status": "ACTIVE",
          "kind": "AWS",
          "description": "Access Key ID: AKIA52FSMBPZS1JIDTPX"

    The following values are returned for the status field:

    • ACTIVE

    This value will be based on what information is returned by the corresponding service when attempting the validate the key. If no data is returned fro the service, it will be considered UNVERIFIED.

    To use this functionality, you use our existing built-in API_KEY detector to scan a data source such as Git Repository. Below is an example using a detection rule defined in line for a text scan.

    curl --request POST \
         --url \
         --header 'Authorization: Bearer NF-rEpLaCeM3w1ThYoUrNiGhTfAlLKeY123' \
         --header 'Content-Type: application/json' \
         --data '{
           "policy": {
                "detectionRules": [
                          "detectors": [
                                    "detectorType": "NIGHTFALL_DETECTOR",
                                    "nightfallDetector": "API_KEY",
                                    "minNumFindings": 1,
                                    "minConfidence": "LIKELY",
                                    "displayName": "API Key"
                          "name": "My Match Rule",
                          "logicalOp": "ANY"
           "payload": [
                "Is this an active nightfall key? NF-OZ6F9fzF2z5mRxMrUdfL8FddFS51kPzE"