What do I do if a security scan finds a secret?
All secrets detected by a security scan should be considered compromised. Once a secret is published, anyone who had read access to the project could have obtained a copy. Locking down the permissions on the issue, deleting it, or deleting all the issue versions which contained the secret are all good steps, but they don’t sufficiently remediate the risk.
Soteri recommends to:
Change the secret.
If a password is found, change it.
If an access token is found, generate a new access token and update your services to use the new token. Once all your services have been updated, revoke the old token.
Delete the secret from Jira. Secrets improperly stored in Jira, revoked or not, send the signal to users that secrets can be stored this way.