Generic API key / token

ID

apikey

Severity

low

Vendor

-

Family

Access key

Description

Detects generic API keys / tokens, inferred analyzing the context (variable or property it is assigned to).

An API key is a unique identifier that acts like a secret password to authenticate and access an API service. It’s similar to a permanent key that grants permission to use certain digital resources or services. By contrast, an API Token or Access Token has typically a short lifetime and is limited in scope and permissions granted.

Think of an API key like a house key - it is long-lasting and provides general access. An access token is more like a hotel key card - it’s temporary, programmed for specific access, and expires after a certain amount of time.

This is a generic detector. When a more specific detector finds a hard-coded API key for a particular system, it will override this generic detector. Note that this detector has a high sensitivity to catch any leaked API key, so false positives may be flagged.

Security

Leaking an API key is a potential security issue. API keys typically are permanent and do not expire automatically, in contrast with an access token.

Access tokens do expire and have more granularity over permissions/scopes, so their impact if compromised is less than API keys.

Both should never be exposed in public code repositories, should only be transmitted over a secure protocol such as HTTPS, and should be stored encrypted.

Examples

apikey:            "YXNkZmZmZmZm_HARDcoded",
TRAVEL_API_KEY:    "YXNkZmZmZmZm_HARDcoded",
PRIVATE_API_TOKEN: "YXNkZmZmZmZm_HARDcoded",
slackKey:          "YXNkZmZmZmZm_HARDcoded",
GITLAB_KEY:        "YXNkZmZmZmZm_HARDcoded",
Google_token:      "YXNkZmZmZmZm_HARDcoded",
NUMERIC_APIKEY:    1925483168813050783076
MY_API_SECRET:     "YXNkZmZmZmZm_HARDcoded",
To reduce false positive rates, the value of the key needs to have enough entropy per byte. Values too similar to the holding variable / property name are discarded as well.

Mitigation / Fix

You may follow this Secret Leaks Handling Guide, which provides recommendations for mitigating the issue.

  1. Audit that the reported secret is a real API key.

  2. Follow your policy for handling leaked secrets, which typically require revoking the key in the target system(s).

  3. Replace the hard-coded key with the new one, using a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets.

  4. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with the API key as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

  1. Check access logs to ensure that the API key was not used by unintended actors during the compromised period.