Scan for secrets

Artifact Analysis vulnerability scans can identify secrets, such as service account keys and API keys, stored in scanned images. You can view information about these secrets in the vulnerability scan's occurrence report and take action to prevent exposing sensitive information.

Overview

When a vulnerability scan detects a secret, Artifact Analysis creates a secret-type occurrence with details about the secret. Artifact Analysis can detect the following secrets:

Secrets

  • Anthropic admin keys
  • Anthropic API keys
  • Azure access tokens
  • Azure ID tokens
  • Docker hub personal access tokens
  • GitHub app refresh tokens
  • GitHub app server-to-server tokens
  • GitHub app user-to-server tokens
  • GitHub classic personal access tokens
  • GitHub fine-grained personal access tokens
  • GitHub OAuth tokens
  • Google Cloud OAuth2 (client ID & secret) pairs
  • Google Cloud OAuth2 access tokens
  • Google Cloud service account keys
  • Google Cloud API keys
  • Huggingface API keys
  • OpenAI API keys
  • Perplexity API keys
  • Stripe restricted keys
  • Stripe secret keys
  • Stripe webhook secrets

For detailed information about the different types of secrets in occurrence reports, see SecretKind in the Artifact Analysis API documentation.

Artifact Analysis can detect only secrets stored as text files. The following file extensions are supported:

  • .cer
  • .cfg
  • .crt
  • .der
  • .env
  • .html
  • .key
  • .ipynb
  • .json
  • .log
  • .md
  • .pem
  • .py
  • .pypirc
  • .textproto
  • .toml
  • .txt
  • .xml
  • .yaml

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  4. Verify that billing is enabled for your Google Cloud project.

  5. Enable the Artifact Registry and Container Scanning APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  6. Install the Google Cloud CLI.

  7. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  8. To initialize the gcloud CLI, run the following command: 

    gcloud init

  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  10. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  11. Verify that billing is enabled for your Google Cloud project.

  12. Enable the Artifact Registry and Container Scanning APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  13. Install the Google Cloud CLI.

  14. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  15. To initialize the gcloud CLI, run the following command: 

    gcloud init

Enabling this API also enables language package scanning in Artifact Registry. See supported package types.

Required roles

To get the permissions that you need to scan images for secrets during vulnerability scans, ask your administrator to grant you the following IAM roles on your project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

View secrets

To view secrets after a vulnerability scan, do the following:

  1. Push a Docker image to Artifact Registry.

  2. Wait for the vulnerability scan to complete.

  3. Run the following command to list secret occurrences for the scanned image:

    $ curl -G -H "Content-Type: application/json"   -H "Authorization: Bearer $(gcloud auth print-access-token)" --data-urlencode "filter=(kind=\"SECRET\" AND resourceUrl=\"RESOURCE_URL\")" https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/occurrences

    Where:

    • PROJECT_ID is your Google Cloud console project ID.
    • LOCATION is the regional or multi-regional location of your repository.
    • RESOURCE_URL is the URL of the scanned image, in the format https://LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID.

    The following sample response shows a possible result. In this case, a Google Cloud API key named my_api_key.yaml was identified the documents directory of an image. The secret attribute shows information about the discovered secret.

    {
  "occurrences": [
    {
      "name": "projects/my-project/locations/us-east1/occurrences/45619d23-66b1-4f5b-9b12-9060d7f97ff3",
      "resourceUri": "https://us-east1-docker.pkg.dev/my-project/my-images/test-image-0106@sha256:73cf5b9a788dc391c40e9cf1599144d03875b5d2dc935988ebfef8260bd2678e",
      "noteName": "projects/my-project/locations/us-east1/notes/secret_kind_gcp_api_key",
      "kind": "SECRET",
      "createTime": "2026-01-06T21:16:14.905851Z",
      "updateTime": "2026-01-06T21:16:14.905851Z",
      "secret": {
        "kind": "SECRET_KIND_GCP_API_KEY",
        "locations": [
          {
            "fileLocation": {
              "filePath": "documents/my_api_key.yaml",
              "layerDetails": {
                "index": 2,
                "diffId": "7b76df10d6d90391830392eac96b0ef2d2d43822c6ff4754aa6daea0fe14a8c5",
                "command": "COPY . . # buildkit",
                "chainId": "sha256:75df0c59982f47cc38e730e1a122b67fceaaf7797d91e1fa17ffffc5cfe7ff59"
              }
            }
          }
        ]
      }
    }
  ]
}

Limitations

  • While secret scanning is in public preview, secret-type occurrences are viewable only in the Container Analysis API.
  • Artifact Analysis secret scanning reports on, at most, one occurrence per secret per image. At most 1000 file locations per occurrence are returned.
  • False positives may occur with identified secrets. Always verify each identified secret before taking any action on your images.