Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Scanning for Yandex Cloud secrets in public sources

Written by
Updated at December 14, 2023

Yandex Cloud scans public sources for the following types of secrets:

Yandex Cloud is connected to the following secret scanning tools:

GitHub

Yandex Cloud is connected to the secret scanning partner program to reduce user risks caused by a leak of secrets to public repositories.

By default, GitHub scans public repositories for Yandex Cloud secrets and sends any suspicious fragment to Yandex Cloud.

Scanning in public repositories is done automatically. A repository administrator or organization owner can enable secret scanning for a private repository.

GitLab

A standard list of secret templates for Secret Detection includes Yandex Cloud secrets.

To enable Secret Detection for your project, follow this guide.

Yandex search index

By default, Yandex Cloud scans pages indexed with the Yandex search engine for secrets.

Helm charts in Yandex Cloud Marketplace

By default, Yandex Cloud scans Helm charts available in Yandex Cloud Marketplace for secrets.

How one may learn that a secret has been detected

If a valid secret is detected, the organization owner will get an email from the Yandex Cloud support email address. It will contain part of the detected secret and the URL of the resource where it is detected.

Identity and Access Management will also log the DetectLeakedCredential event to the audit log.

What one can do if a secret is detected

If your secret got leaked to a public repository:

  1. Re-issue or revoke the secret by following this guide. Delete the affected resources, if required.
  2. Delete the secret from the repository or commit history. To do this, follow the guides for GitHub or GitLab.

Warning

Yandex Cloud does not revoke detected secrets and does not remove them from repositories. Any action on a secret is only performed by their owner.

You can use the following regular expressions to scan your repositories on your own:

  • IAM Cookies

    c1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}

  • IAM tokens

    t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}

  • API keys

    AQVN[A-Za-z0-9_\-]{35,38}

  • Static access keys

    YC[a-zA-Z0-9_\-]{38}

  • OAuth tokens

    y[0-3]_[-_A-Za-z0-9]{55}

  • SmartCaptcha server keys

    ysc2_[a-zA-Z0-9]{40}[0-9a-f]{8}

Note

Use regular expressions carefully because the format of secrets may change moving forward. The changes might not appear in the documentation immediately.

Previous
If you are being attacked from Yandex Cloud addresses
Next
User support policy during vulnerability scanning