All secrets detected by a security scan should be considered compromised. Once a secret is published, anyone who had read access to the page could have obtained a copy. Locking down the permissions on the page, deleting it, or deleting all the page versions which contained the secret are all good steps, but they don’t sufficiently remediate the risk.

Soteri recommends to:

  • Change the secret.

    • If a password is found, change it.

    • If an access token is found, generate a new access token and update your services to use the new token. Once all your services have been updated, revoke the old token.

  • Delete the secret from Confluence. Secrets improperly stored in Confluence, revoked or not, send the signal to users that secrets can be stored this way.