Finding a leaked credential in your web application is a bad day. Finding out that credential is live and grants access to your GitHub or cloud environment? That’s a crisis.

To help you distinguish between a harmless string of text and a major security hole, we’ve launched Secrets Validation for Tenable Web App Scanning (WAS).

Turn maybe into action

You no longer have to manually test every API key or token your scanner unearths. When Tenable WAS identifies a sensitive credential—like a GitHub token—it now goes a step further. Our Validated Secret Detected plugin safely attempts to connect to the service to verify if that secret is live and exploitable.

Why this matters for you:

• Prioritize with confidence: You can stop chasing "dead" keys and focus your remediation efforts on secrets that actually pose a real-world risk.
• Clear visibility: If a secret is valid, we flag it clearly in your results, giving you the evidence you need to escalate the fix immediately.
• Broadening coverage: We are continuously expanding validation support across our existing library of detected secrets.

How to get started

You can find the full setup details in our Secrets Validation documentation. This feature enhances the detection capabilities already found in these key plugins:

• Generic Secret Disclosure: Credentials for private services.
• Third-Party Service Secret Disclosure: API keys for public cloud and SaaS platforms.
• AI Service Secret Disclosure: API keys for public AI services.