Pro audit program · v1.0

API Token & Secrets Audit

Leaked API tokens are a top breach vector. Check inventory, scoping, storage and rotation of personal access tokens and machine secrets.

General target area
CIS Controls framework
6 controls in this program
Cyentrix Cyentrix Trusted Author

Sign in to run → Back to library

About this program

Leaked API tokens are a top breach vector. Check inventory, scoping, storage and rotation of personal access tokens and machine secrets.

Risks addressed

Critical Leaked token in public repo grants attacker prod access
High Long-lived tokens never expire
High Tokens stored in plain text in CI/CD

Controls (6)

Inventory of API tokens / PATs
High

Inventory of API tokens / PATs

How to test + evidence

Testing procedure: Pull token list from each platform (GitHub, Slack, AWS, etc.). Reconcile with owners.

Evidence to collect: Token inventory CSV.
Tokens scoped to least privilege
High

Tokens scoped to least privilege

How to test + evidence

Testing procedure: Sample tokens; verify scopes match the actual use.

Evidence to collect: Token scope dump.
Secret scanning in repos + CI
Critical

Secret scanning in repos + CI

How to test + evidence

Testing procedure: Repo + commit scanning enabled; pre-commit + push hooks in place.

Evidence to collect: Scanner config + last 30-day alerts.
Secrets stored in a managed vault
Critical

Secrets stored in a managed vault

How to test + evidence

Testing procedure: No plaintext secrets in code, CI variables, or config files.

Evidence to collect: Vault coverage report.
Token expiry / rotation policy
High

Token expiry / rotation policy

How to test + evidence

Testing procedure: Max token lifetime documented and enforced (90d for human, shorter for machine).

Evidence to collect: Token policy + rotation log.
Revoke tokens on offboarding
High

Revoke tokens on offboarding

How to test + evidence

Testing procedure: Joiner-mover-leaver process explicitly revokes all PATs.

Evidence to collect: JML checklist.