Additional "Strict" secret detections for DAST

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Customer reported (internal), When secrets are generated dynamically by applications, they can be leaked and DAST tools are the correct tool (not secret detection scanning source code) to identify these secrets.

Proposal

Add the following detections to DAST. If these are likely to generate false positives, include them in a variable that customers can optionally apply, rather than including them in the default ruleset.

Expand the existing checks (PII/Auth Tokens) to work on headers, query string, etc. in addition to body.

• AWS Access Key ID
• AWS Secret Access Key
• Username
• Password
• Auth Header
• API token
• GitLab PAT
• Slack token
• Credit Card number
• SSN
• Azure API key
• Static Azure API key