Detecting Secrets

Leaked secrets, such as credentials needed to authenticate and authorize a cloud provider’s API request, expose company software, services, infrastructure, and data to hackers.

Nightfall has developed technology to detect secrets and label findings to speed SecOPs workflows from being clogged and eliminate false positive alerts.

Overall Coverage

Nightfall uses machine learning models trained on a large (millions of lines of code) diverse dataset (including all programming languages and application types) to ensure best-in-class secret detection accuracy and coverage.

For a growing set of the most popular services, Nightfall will:

  • label detected secrets by vendor and service type (returned the kind field of the response)

  • label detected secrets as active risks by validating supported credential types with their associated service endpoints (returned as the status of the service)

Our current solution supports the following vendors covering a diverse set of use cases, including cloud storage/infrastructure, communication, social networks, software development, banking, observability, and payment processing.

This list is not static and will continue to grow as we add support for detecting API keys from additional services. If you want to detect API keys from a service not listed below, please contact us.

  • AWS

  • Azure

  • Confluence

  • Confluent

  • Datadog

  • ElasticSearch

  • Facebook

  • GCP

  • Google API

  • GitHub

  • GitLab

  • JIRA

  • JWT

  • Nightfall

  • Notion

  • Okta

  • Paypal

  • Plaid

  • Postmark

  • Postman

  • RapidAPI

  • Salesforce

  • Sendgrid

  • Slack

  • Snyk

  • Splunk

  • Square

  • Stripe

  • Twitter

  • Twilio

  • Zapier

Key Detection Example

Below is an example of how an AWS Key would be shown in a finding.

  "finding": "zImaKNJJ8u/seIbm1UszokVz3SSARukJs6cghEBXD",
  "detector": {
    "name": "API key",
    "uuid": "0e95732f-bc5c-448f-9d15-bd1417177360"
  "confidence": "VERY_LIKELY",
  "findingMetadata": {
    "apiKeyMetadata": {
      "status": "ACTIVE",
      "kind": "AWS",
      "description": "Access Key ID: AKIA52FSMBPZS1JIDTPX"

The following values are returned for the status field:




This value will be based on what information is returned by the corresponding service when attempting the validate the key. If no data is returned fro the service, it will be considered UNVERIFIED.

To use this functionality, you use our existing built-in API_KEY detector to scan a data source such as Git Repository. Below is an example using a detection rule defined in line for a text scan.

curl --request POST \
     --url \
     --header 'Authorization: Bearer NF-rEpLaCeM3w1ThYoUrNiGhTfAlLKeY123' \
     --header 'Content-Type: application/json' \
     --data '{
       "policy": {
            "detectionRules": [
                      "detectors": [
                                "detectorType": "NIGHTFALL_DETECTOR",
                                "nightfallDetector": "API_KEY",
                                "minNumFindings": 1,
                                "minConfidence": "LIKELY",
                                "displayName": "API Key"
                      "name": "My Match Rule",
                      "logicalOp": "ANY"
       "payload": [
            "Is this an active nightfall key? NF-OZ6F9fzF2z5mRxMrUdfL8FddFS51kPzE"

Last updated