Snyk Key

ID

snyk_key

Severity

high

Vendor

Snyk

Family

API Token

Description

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.

It provides both an API to test a package for issues.

Security

Any hardcoded Snyk credential is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Snyk account.

For this tool, suspicious usage detection would require to regularly check a usage tab that shows number of scans on the period in the dashboard.

Examples

SNYK_TOKEN=c1427dab-3e2f-4439-8e73-26b3e5ce9f55

Mitigation / Fix

  1. Remove the API Key from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to your Account to revoke the key.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://support.snyk.io/hc/en-us/articles/360007584578-API-documentation