defectdojo

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned for literal, directly usable credentials. I flagged the demo admin credential because it is a literal username/password pair that would grant access to the demo instance:
• Found and flagged: "admin / 1Defectdojo@demo#appsec" (demo site https://demo.defectdojo.org). This is a concrete credential (username + password) and therefore a secret according to the given definition.

Items I intentionally ignored (not flagged) and why:

• GUIDs / IDs (e.g., Tenant ID 3f7a3df4-f85b-4ca8-98d0-08b1034e6567, Application (Client) ID 79ada8c7-4270-41e8-9ea0-1e1e62afff3d): these are identifiers, not authentication secrets—documentation identifiers/public metadata.
• Placeholders and examples (e.g., ${DEFECTDOJO_API_TOKEN}, <api-token>, your-api-token, <client-id>, <tenant-id>, YOUR_API_KEY, sk-xxxx): explicitly documentation placeholders per the rules.
• Environment variable names and secret names (e.g., DEFECTDOJO_API_TOKEN, defectdojo-admin-password, defectdojo-secret-key): names only, no secret values.
• Inline configuration that references Key Vault or secretKeyRef without exposing secret values.