Secrets
Last updated: Mar 24, 2026
Supported
Currently, these are the secrets Fluid Attacks can detect:
- API keys
- AWS credentials
- Database connection passwords
- Express-session secrets
- Hardcoded emails (in security-related contexts)
- Hardcoded environment variables
(e.g.,
api_key,password,secret) - Hardcoded secrets in cryptographic calls
- Initialization vectors
- JWT
- Private keys
- RSA keys
- Salts
- SonarQube tokens and passwords (in identifiable fields)
- SSH keys
- Symmetric keys
- Other obtained manually (only in the Advanced plan)
Unsupported
Fluid Attacks' secrets support does not currently include the following:
- Access tokens
- Azure secrets
- Cloud provider secrets
- Cloud storage keys
- Firebase secrets
- GCP credentials
- Generic secrets
- GitHub tokens
- GitHub personal access tokens (PATs)
- Google service account keys
- HTTP basic authentication parameters
- Kubernetes secrets
- MFA tokens
- OAuth tokens
- Payment processor API keys
- PGP secret keys
- Sensitive configuration files
- Slack tokens
- Webhook URLs
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
SCM systems
Source code management systems supported by Fluid Attacks. Fluid Attacks is committed to adaptability so that it can integrate with your existing workflows.
Standards
Learn about the international security standards supported by Fluid Attacks to ensure compliance and enhance the security posture of your application.