Xygeni.io user / organization token

ID

xygeni_opaque_token

Severity

high

Vendor

Xygeni.io

Family

API Token

Description

Xygeni is a platform for improving the Software Supply Chain Security posture for organizations.

This detector looks for the Xygeni User/Organization Token used for authentication with the Xygeni API.

Security

Any hardcoded Xygenio.io user/organization token is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Xygeni.io account, allowing an external person to access your supply chain vulnerabilities information.

Examples

xyu_5f4438ea9130e29052aec88286c446648593859f06ad65b400ea3716e601d9ee

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to your Xygeni Profile where you can revoke the leaked token and create a new one. Copy the new token as it will not be available again.

  2. Replace all references to the old token with the new one in your CI/CD pipelines and scripts.

  3. (Optional) Remove the Token from the source code or committed configuration file.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

Xygeni API Token.