It's a significant risk in the confluence environment – any user can check in sensitive information such as passwords, public keys, access keys, etc., in cleartext, right into a git repository.

Confluence won't trap that. It has no built-in mechanism to detect content that contains sensitive credentials that could fall into the wrong hands; the typical workflows make this an all-too-easy omission even by well intentioned users.

This poses an enormous security risk as this information could be passwords for network devices, private keys, or even personal credentials for highly sensitive systems. This can lead to privilege escalation, either by malicious users who have network access to the Confluence instance, or by an external attacker who has bridged perimeter security.

Our application integrates with Confluence to actively detect attempts to check in sensitive information, accidental or otherwise.

Scanning repositories

Content can be scanned manually by selecting space or specific page to scan or automatically once new content is published by enabling “Scan new content automatically“ switch for the space.

To view and trigger security scans, you will need Space administer permissions. Navigate to your space of choice, and then go to the Security Scan Tab.

Supported Secrets & Key

Here's a list of current vulnerabilities that are detected by Security for Confluence Server:

Common Keys

Supported

EC keys

SUPPORTED

Generic secret

SUPPORTED

Generic API keys (most general hash that an API key will match with)

SUPPORTED

PKCS8 (private keys generally used on unix machines)

SUPPORTED

Generic API keys (most general hash that an API key will match with)

SUPPORTED

SSH keys

SUPPORTED

Passwords in URL's

SUPPORTED

PGP keys

SUPPORTED

PKCS8 (private keys generally used on unix machines)

SUPPORTED

Password detection (people storing passwords in plain text)

SUPPORTED

Custom key and pattern detection through advanced regex use

SUPPORTED


API Keys

Supported

AWS client ID's

SUPPORTED

AWS secret keys

SUPPORTED

AWS MWS keys

SUPPORTED

Facebook secret keys

SUPPORTED

Facebook client ID's

SUPPORTED

Facebook access tokens

SUPPORTED

Github keys

SUPPORTED

Google API key

SUPPORTED

Google Cloud Platform API key

SUPPORTED

Google OAUTH access token

SUPPORTED

Heroku API key

SUPPORTED

LinkedIn client ids

SUPPORTED

Mailchimp API key

SUPPORTED

Mailgun API key

SUPPORTED

Paypal BrainTree access tokens

SUPPORTED

Picatic API keys

SUPPORTED

Slack keys

SUPPORTED

Slack webhooks

SUPPORTED

Square access tokens

SUPPORTED

Square Oauth secrets

SUPPORTED

Stripe API key

SUPPORTED

Twilio API key

SUPPORTED

Twitter client ID's

SUPPORTED

Twitter secret keys

SUPPORTED