Secrets

JFrog's secrets detection searches for known structures and completely random credentials (using suspicious variable matching), ensuring that our detection engines generate minimal false positives.

JFrog Security uses a constantly updated list of more than 150 specific types of credentials. In addition, JFrog Security uses a proprietary generic secrets matcher, for the best coverage possible. It also scans for issues in the certificates used in the software, such as expired or weak certificates.

JFrog Secrets detection can detect the following types of secrets:

• Access tokens (keys)

• Certificates/private keys

• High entropy secrets

• URL secrets

Supported File Types:

In the IDE and Frogbot only textual files are scanned.

In the CLI there are commands such as ‘jf audit’ that scan source code and look for secrets in textual files, and other commands such as ‘jf docker scan’ that scan both binary and textual files.

Secrets Detection in the JFrog CLI for Xray

Secrets Detection in your IDE

Secrets Detection in your Git Repositories (Frogbot)