Scanning for Yandex Cloud secrets in public sources
Yandex Cloud scans public sources for the following types of secrets:
Yandex Cloud is connected to the following secret scanning tools:
- GitHub Secret scanning partner program
- GitLab Secret Detection
- Yandex search index
- Helm charts in Yandex Cloud Marketplace
GitHub
Yandex Cloud is connected to the secret scanning partner program to reduce user risks caused by a leak of secrets to public repositories.
By default, GitHub scans public repositories for Yandex Cloud secrets and sends any suspicious fragment to Yandex Cloud.
Scanning in public repositories is done automatically. A repository administrator or organization owner can enable secret scanning for a private repository.
GitLab
A standard list of secret templates for Secret Detection includes Yandex Cloud secrets.
To enable Secret Detection for your project, follow this guide.
Yandex search index
By default, Yandex Cloud scans pages indexed with the Yandex search engine for secrets.
Helm charts in Yandex Cloud Marketplace
By default, Yandex Cloud scans Helm charts available in Yandex Cloud Marketplace for secrets.
How one may learn that a secret has been detected
If a valid secret is detected, the organization owner will get an email from the Yandex Cloud support email address. It will contain part of the detected secret and the URL of the resource where it is detected.
Identity and Access Management will also log the DetectLeakedCredential event to the audit log.
What one can do if a secret is detected
If your secret got leaked to a public repository:
- Re-issue or revoke the secret by following this guide. Delete the affected resources, if required.
- Delete the secret from the repository or commit history. To do this, follow the guides for GitHub or GitLab.
Warning
Yandex Cloud does not revoke detected secrets and does not remove them from repositories. Any action on a secret is only performed by their owner.
Scanning secrets on your own
You can use the following regular expressions to scan your repositories on your own:
-
IAM Cookies
c1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2} -
IAM tokens
t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2} -
API keys
AQVN[A-Za-z0-9_\-]{35,38} -
Static access keys
YC[a-zA-Z0-9_\-]{38} -
OAuth tokens
y[0-3]_[-_A-Za-z0-9]{55} -
SmartCaptcha server keys
ysc2_[a-zA-Z0-9]{40}[0-9a-f]{8}
Note
Use regular expressions carefully because the format of secrets may change moving forward. The changes might not appear in the documentation immediately.