All secrets detected by a security scan should be considered compromised. Once a secret is published, anyone who had read access to the space could have obtained a copy. Locking down the permissions on the work item or deleting it are good steps to take, but they don’t sufficiently remediate the risk.
Soteri recommends to:
-
Change the secret.
-
If a password is found, change it.
-
If an access token is found, generate a new access token and update your services to use the new token. Once all your services have been updated, revoke the old token.
-
-
Delete the secret from Jira. Secrets improperly stored in Jira, revoked or not, send the signal to users that secrets can be stored this way.