Skip to main content
Skip table of contents

Vulnerabilities Detected by Security for Bitbucket

List of current vulnerabilities that are detected by Soteri.

Rule Name

Description

AWS_CLIENT_ID

AWS Identity and Access Management Client IDs uniquely reference users, access keys. These unique IDs can provide access to your AWS instance by allowing users to get keys.

AWS_MWS_KEY

AWS Marketplace Web Service API Keys allow programmatic interfaces to Amazon Seller stores.

AWS_SECRET_ACCESS_KEY

AWS Secret Access Keys allow for authenticated AWS CLI, SDK, and API access.

AZURE_ACCESS_KEY

Azure Access Keys provide access to all data stored in Microsoft Azure.

DYNATRACE_CLIENT_SECRET

Dynatrace Client Secrets allow for access to your Dynatrace instance API.

EC_PRIVATE_KEY

Elliptical Curve Private Keys - We detect many common SSH Private Key formats.

FACEBOOK_CLIENT_ID

Facebook Application IDs

FACEBOOK_SECRET_KEY

Facebook Application Secrets

GENERIC_API_KEY

Generic API Key - Contains logic to detect generic API Keys.

GENERIC_PASSWORD

Generic Passwords - Contains logic to detect generic passwords. Note that this rule may generate many false positives, and is disabled by default.

GENERIC_SECRET

Generic Secrets - Contains logic to detect generic secrets.

GITHUB_KEY

Github Authentication Tokens - This rule detects Github Authentication Tokens for personal use as well as for Github Application OAuth.

GOOGLE_API_KEY

Google API Keys

GOOGLE_OAUTH

Google OAuth URLs

GOOGLE_OAUTH_ACCESS_TOKEN

Google OAuth Tokens

HEROKU_API_KEY

Heroku API Keys

LINKEDIN_CLIENT_ID

LinkedIn Client IDs

LINKEDIN_CLIENT_SECRET

LinkedIn Client Secrets

MAILCHIMP_API_KEY

Mailchimp API Key

MAILGUN_API_KEY

Mailgun API Key

PASSWORD_IN_URL

Generic Password in URL - Contains logic to detect passwords embedded in URLs

PAYPAL_BRAINTREE_ACCESS_TOKEN

Paypal's Braintree Access Token

PGP_PRIVATE_KEY

PGP Private Keys

PKCS8_PRIVATE_KEY

PKSC8 Private Keys - We detect many common SSH Private Key formats.

PYPI_UPLOAD_TOKEN

Python Package Index (PyPI) Upload Tokens allow verified publishing of python package to the global repository.

RSA_PRIVATE_KEY

We detect many common SSH Private Key formats.

SENDGRID_API_KEY

Sendgrid API Keys

SHOPIFY_PARTNER_API_ACCESS_TOKEN

Shopify Partner API access Tokens provide access to the a given store's API.

SHOPIFY_SECRETS

Shopify API Secrets give access to all aspects of the general Shopify API – this rule contains logic to detect Shared Secrets and Access Tokens for regular, Custom, and Private applications.

SLACK

Slack API Tokens give access to various API features.

SLACK_WEBHOOK

Slack Webhooks are secret URLs which give similar access as API Tokens.

SQUARE_ACCESS_TOKEN

Square Access Tokens

SQUARE_OAUTH_SECRET

Square OAuth Secrets

SSH_PRIVATE_KEY

Generic SSH Private Key - We detect many common SSH Private Key formats.

SSH_PUBLIC_KEY

Public Key-half of key-based authentication. Weak public keys can be brute-force cracked by modern computers, and can represent equal vulnerability to the private-key half of the pair. Since properly-generated public keys are not a threat, this rule is disabled by default.

TROJAN_SOURCE

Trojan Source detects left-to-right and right-to-left unicode control characters which can be used to obscure malicious code. For more information, see the Trojan Source paper and CVE-2021-42574 in the NIST Database.

Note: the homoglyph attack described in this paper, and tracked as CVE-2021-42694 in the NIST Database, is not detected by this rule, as it can generate a lot of false positives for non-English languages. See Mitigating Trojan Source attacks for Soteri’s recommendations if you’re interested in detecting potential homoglyph attacks.

STRIPE_API_KEY

Stripe API Key

TWILIO_ACCOUNT_ID

Twilio Account ID - part of the Twilio API

TWILIO_API_KEY

Twilio API Key - part of the Twilio API

TWITTER_CLIENT_ID

Twitter Client ID

TWITTER_SECRET_KEY

Twitter Secret Key


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.