Xygeni.io Token

ID

xygeni_token

Severity

high

Vendor

Xygeni.io

Family

API Token

Description

Xygeni is a platform for improving the Software Supply Chain Security posture for organizations.

This detector looks for the JWT Token used for authentication.

JSON Web Tokens (JWT) represent claims securely between two parties. They follow the open standard RFC 7519.

JWT are JSON objects containing the claims and signed using HMAC or public key/private keypair. It contains three parts: a header, a payload and a signature. header and payload are base-64 encoded JSON objects.

Security

Any hardcoded Xygenio.io Token is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Xygeni.io account, allowing an external person to access your supply chain vulnerabilities information.

Examples

xya_eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJuYXVpayIsImlhdCI6MTY2NzQwNDI2NiwiZXhwIjoxNjY5OTk2MjY2LCJhcGl0b2tlbmRhdGEiOnsidXNlckJlYW4iOnsiaWQiOjEsIm5hbWUiOiJuYXVpa191c2VyIiwibG9naW4iOiJuYXVpayIsInBhc3N3b3JkIjoiJDJhJDEyJGpOckI4MGs5MnJVdmxQMzhhTE9OYWVPb3RFWWl3VmQ1TWFDN043TDQ0Y0dYRjQueXJxLm9hIiwiY3VzdG9tZXJJZCI6MSwiYXV0aG9yaXRpZXMiOlt7ImF1dGhvcml0eSI6IlJPTEVfUk9PVCJ9XSwiZW5hYmxlZCI6ZmFsc2UsInByb2plY3RJZHMiOlsxLDIsMyw0LDYsNyw4LDksMTEsMTIsMTMsMTQsMTUsMTcsMTgsMTldLCJ1c2VybmFtZSI6Im5hdWlrIiwiYWNjb3VudE5vbkV4cGlyZWQiOnRydWUsImFjY291bnROb25Mb2NrZWQiOnRydWUsImNyZWRlbnRpYWxzTm9uRXhwaXJlZCI6dHJ1ZX0sInRva2VuSWQiOjV9fQ.F89ZjeeVgzqwd50BJUrK0SsRztQMECsSpvofw21uTDOeXc38227pC4to-X6A3avDZYkC-050GNIB_GNQLg6YwQ

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to your Xygeni Profile where you can revoke the leaked token and create a new one. Copy the new token as it will not be available again.

  2. Replace all references to the old token with the new one in your CI/CD pipelines and scripts.

  3. (Optional) Remove the Token from the source code or committed configuration file.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

Xygeni API Token.