🔣 Sensitive Data
Escape scanners support a lot of different types of data. Here is a list of all the supported types, called scalars.
Scalar properties
Each scalar have a few key:
- Possible names: The different names the field containing it could have in the graphql API.
- Description: A short explaination of what it represent.
- Patterns: A regex or a value that can be used to detect if a returned value is of this type.
- Examples: Some examples of the scalar that can be used by Escape.
- Parents: The graphQL types this scalar is compatible with.
- Sensitivity: to which degree is this scalar a sensitive.
Date time
| Name | Description | Sensitivity |
|---|---|---|
| date | ISO 8601 date string | LOW |
| datetime | ISO 8601 date and time string | LOW |
| month | Month | LOW |
| time | ISO 8601 time string | LOW |
| timestamp | Timestamp | LOW |
| year | Year | LOW |
Finance
| Name | Description | Sensitivity |
|---|---|---|
| bank_account | International Bank Account Number | MEDIUM |
| bank_card | Credit Card Number | HIGH |
| bitcoin | Bitcoin address | MEDIUM |
| currency_code | Currency Code ISO 4217 | LOW |
| cvv | Credit Card Verification Value | HIGH |
| dash | Dash address | MEDIUM |
| e_commerce_indicator | e-Commerce Indicator | LOW |
| ethereum | Ethereum address | MEDIUM |
| monero | Monero address | MEDIUM |
| us_bank_account_number | US Bank Account Number | MEDIUM |
| us_bank_routing_number | US Bank Routing Number | MEDIUM |
| us_zip_code | US ZIP Code | LOW |
Hash
| Name | Description | Sensitivity |
|---|---|---|
| base64 | base64 hash | LOW |
| bcrypt | bCrypt hash | MEDIUM |
| md5 | MD5 hash | MEDIUM |
| sha1 | SHA1 hash | LOW |
| sha256 | SHA256 hash | LOW |
Personal
| Name | Description | Sensitivity |
|---|---|---|
| country_code | Country Code | LOW |
| driving_license | Driving License Number | MEDIUM |
| MEDIUM | ||
| gender | Gender | LOW |
| legal_name | Full legal name | LOW |
| passport | Passport Number | MEDIUM |
| password | Password | HIGH |
| phone | Phone Number | MEDIUM |
| street_address | Street Address | LOW |
| zip_code | Zip Code | LOW |
Secrets
| Name | Description | Sensitivity |
|---|---|---|
| adafruit_api_key | Adafruit API Key | HIGH |
| adobe_client_id | Adobe Client ID (OAuth Web) | HIGH |
| adobe_client_secret | Adobe Client Secret | HIGH |
| age_secret_key | Age secret key | HIGH |
| airtable_api_key | Airtable API Key | HIGH |
| algolia_api_key | Algolia API Key | HIGH |
| alibaba_access_key_id | Alibaba AccessKey ID | HIGH |
| alibaba_secret_key | Alibaba Secret Key | HIGH |
| asana_client_id | Asana Client ID | HIGH |
| asana_client_secret | Asana Client Secret | HIGH |
| atlassian_api_token | Atlassian API token | HIGH |
| aws_access_token | AWS | HIGH |
| beamer_api_token | Beamer API token | HIGH |
| bitbucket_client_id | Bitbucket Client ID | HIGH |
| bitbucket_client_secret | Bitbucket Client Secret | HIGH |
| bittrex_access_key | Bittrex Access Key | HIGH |
| bittrex_secret_key | Bittrex Secret Key | HIGH |
| clojars_api_token | Clojars API token | HIGH |
| codecov_access_token | Codecov Access Token | HIGH |
| coinbase_access_token | Coinbase Access Token | HIGH |
| confluent_access_token | Confluent Access Token | HIGH |
| confluent_secret_key | Confluent Secret Key | HIGH |
| contentful_delivery_api_token | Contentful delivery API token | HIGH |
| databricks_api_token | Databricks API token | HIGH |
| datadog_access_token | Datadog Access Token | HIGH |
| digitalocean_access_token | DigitalOcean OAuth Access Token | HIGH |
| digitalocean_pat | DigitalOcean Personal Access Token | HIGH |
| digitalocean_refresh_token | DigitalOcean OAuth Refresh Token | HIGH |
| discord_api_token | Discord API key | HIGH |
| discord_client_id | Discord client ID | HIGH |
| discord_client_secret | Discord client secret | HIGH |
| doppler_api_token | Doppler API token | HIGH |
| droneci_access_token | Droneci Access Token | HIGH |
| dropbox_api_token | Dropbox API secret | HIGH |
| dropbox_long_lived_api_token | Dropbox long lived API token | HIGH |
| dropbox_short_lived_api_token | Dropbox short lived API token | HIGH |
| duffel_api_token | Duffel API token | HIGH |
| dynatrace_api_token | Dynatrace API token | HIGH |
| easypost_api_token | EasyPost API token | HIGH |
| easypost_test_api_token | EasyPost test API token | HIGH |
| etsy_access_token | Etsy Access Token | HIGH |
| HIGH | ||
| fastly_api_token | Fastly API key | HIGH |
| finicity_api_token | Finicity API token | HIGH |
| finicity_client_secret | Finicity Client Secret | HIGH |
| finnhub_access_token | Finnhub Access Token | HIGH |
| flickr_access_token | Flickr Access Token | HIGH |
| flutterwave_encryption_key | Flutterwave Encryption Key | HIGH |
| flutterwave_public_key | Finicity Public Key | HIGH |
| flutterwave_secret_key | Flutterwave Secret Key | HIGH |
| frameio_api_token | Frame.io API token | HIGH |
| freshbooks_access_token | Freshbooks Access Token | HIGH |
| gcp_api_key | GCP API key | HIGH |
| generic_api_key | Generic API Key | HIGH |
| github_app_token | GitHub App Token | HIGH |
| github_fine_grained_pat | GitHub Fine-Grained Personal Access Token | HIGH |
| github_oauth | GitHub OAuth Access Token | HIGH |
| github_pat | GitHub Personal Access Token | HIGH |
| github_refresh_token | GitHub Refresh Token | HIGH |
| gitlab_pat | GitLab Personal Access Token | HIGH |
| gitlab_ptt | GitLab Pipeline Trigger Token | HIGH |
| gitlab_rrt | GitLab Runner Registration Token | HIGH |
| gitter_access_token | Gitter Access Token | HIGH |
| gocardless_api_token | GoCardless API token | HIGH |
| grafana_api_key | Grafana api key (or Grafana cloud api key) | HIGH |
| grafana_cloud_api_token | Grafana cloud api token | HIGH |
| grafana_service_account_token | Grafana service account token | HIGH |
| hashicorp_tf_api_token | HashiCorp Terraform user/org API token | HIGH |
| heroku_api_key | Heroku API Key | HIGH |
| hubspot_api_key | HubSpot API Token | HIGH |
| intercom_api_key | Intercom API Token | HIGH |
| jwt | JSON Web Token | HIGH |
| kraken_access_token | Kraken Access Token | HIGH |
| kucoin_access_token | Kucoin Access Token | HIGH |
| kucoin_secret_key | Kucoin Secret Key | HIGH |
| launchdarkly_access_token | Launchdarkly Access Token | HIGH |
| linear_api_key | Linear API Token | HIGH |
| linear_client_secret | Linear Client Secret | HIGH |
| linkedin_client_id | LinkedIn Client ID | HIGH |
| linkedin_client_secret | LinkedIn Client secret | HIGH |
| lob_api_key | Lob API Key | HIGH |
| lob_pub_api_key | Lob Publishable API Key | HIGH |
| mailchimp_api_key | Mailchimp API key | HIGH |
| mailgun_private_api_token | Mailgun private API token | HIGH |
| mailgun_pub_key | Mailgun public validation key | HIGH |
| mailgun_signing_key | Mailgun webhook signing key | HIGH |
| mapbox_api_token | MapBox API token | HIGH |
| mattermost_access_token | Mattermost Access Token | HIGH |
| messagebird_api_token | MessageBird API token | HIGH |
| messagebird_client_id | MessageBird client ID | HIGH |
| microsoft_teams_webhook | Microsoft Teams Webhook | HIGH |
| netlify_access_token | Netlify Access Token | HIGH |
| new_relic_browser_api_token | New Relic ingest browser API token | HIGH |
| new_relic_user_api_id | New Relic user API ID | HIGH |
| new_relic_user_api_key | New Relic user API Key | HIGH |
| npm_access_token | npm access token | HIGH |
| nytimes_access_token | Nytimes Access Token | HIGH |
| okta_access_token | Okta Access Token | HIGH |
| plaid_api_token | Plaid API Token | HIGH |
| plaid_client_id | Plaid Client ID | HIGH |
| plaid_secret_key | Plaid Secret key | HIGH |
| planetscale_api_token | PlanetScale API token | HIGH |
| planetscale_oauth_token | PlanetScale OAuth token | HIGH |
| planetscale_password | PlanetScale password | HIGH |
| postman_api_token | Postman API token | HIGH |
| prefect_api_token | Prefect API token | HIGH |
| private_key | Private Key | HIGH |
| pulumi_api_token | Pulumi API token | HIGH |
| pypi_upload_token | PyPI upload token | HIGH |
| rapidapi_access_token | RapidAPI Access Token | HIGH |
| readme_api_token | Readme API token | HIGH |
| rubygems_api_token | Rubygem API token | HIGH |
| sendbird_access_id | Sendbird Access ID | HIGH |
| sendbird_access_token | Sendbird Access Token | HIGH |
| sendgrid_api_token | SendGrid API token | HIGH |
| sendinblue_api_token | Sendinblue API token | HIGH |
| sentry_access_token | Sentry Access Token | HIGH |
| shippo_api_token | Shippo API token | HIGH |
| shopify_access_token | Shopify access token | HIGH |
| shopify_custom_access_token | Shopify custom access token | HIGH |
| shopify_private_app_access_token | Shopify private app access token | HIGH |
| shopify_shared_secret | Shopify shared secret | HIGH |
| sidekiq_secret | Sidekiq Secret | HIGH |
| sidekiq_sensitive_url | Sidekiq Sensitive URL | HIGH |
| slack_access_token | Slack token | HIGH |
| slack_web_hook | Slack Webhook | HIGH |
| square_access_token | Square Access Token | HIGH |
| squarespace_access_token | Squarespace Access Token | HIGH |
| stripe_access_token | Stripe private token | HIGH |
| sumologic_access_id | SumoLogic Access ID | HIGH |
| sumologic_access_token | SumoLogic Access Token | HIGH |
| telegram_bot_api_token | Telegram Bot API Token | HIGH |
| travisci_access_token | Travis CI Access Token | HIGH |
| twilio_api_key | Twilio API Key | HIGH |
| twitch_api_token | Twitch API token | HIGH |
| twitter_access_secret | Twitter Access Secret | HIGH |
| twitter_access_token | Twitter Access Token | HIGH |
| twitter_api_key | Twitter API Key | HIGH |
| twitter_api_secret | Twitter API Secret | HIGH |
| twitter_bearer_token | Twitter Bearer Token | HIGH |
| typeform_api_token | Typeform API token | HIGH |
| vault_batch_token | Vault Batch Token | HIGH |
| vault_service_token | Vault Service Token | HIGH |
| yandex_access_token | Yandex Access Token | HIGH |
| yandex_api_key | Yandex API Key | HIGH |
| yandex_aws_access_token | Yandex AWS Access Token | HIGH |
| zendesk_secret_key | Zendesk Secret Key | HIGH |
Technology
| Name | Description | Sensitivity |
|---|---|---|
| host | Host name (IP or DNS) | MEDIUM |
| ipv4 | IPv4 address | MEDIUM |
| ipv6 | IPv6 address | MEDIUM |
| json | JSON string | LOW |
| language_iso_639_1 | Language | LOW |
| language_iso_639_2 | Language ISO 639-2 | LOW |
| path | Disk or URL Path | LOW |
| port | Port number | LOW |
| protocol | Protocol | LOW |
| secret | Secret | HIGH |
| status_code | Status Code | LOW |
| url | A URL as defined by RFC 1738 | LOW |
| uuid | Universally Unique Identifier | LOW |
| version | Version Number | LOW |
Custom Sensitive Data Types
It's possible to write custom scalar or override existing one using the escaperc:
{
"scalars": {
"custom_scalar_identifier": {
"description": **value**,
"examples": ['**value**'],
"names": ['**value**'],
"parents": ['ID | Int | String | Boolean | Float'],
"patterns": ['**value**'],
"sensitivity": 0 | 1 | 2 | 3,},
}
}
description
The description for the scalar
Example
{'description': '**value**'}
examples
Example of values for the scalar (used in the explore as default values). Careful values inputed here will be ignored by the checks
Example
{'examples': ['**value**']}
names
The possible names for the scalar
Example
{'names': ['**value**']}
parents
The graphql default type it's compatible with
Example
{'parents': ['ID | Int | String | Boolean | Float']}
patterns
The possible values for the scalar (regex friendly) (used for the checks)
Example
{'patterns': ['**value**']}
sensitivity
The sensitivity of the data Must be one of [0, 1, 2, 3]
Example
{'sensitivity': '0 | 1 | 2 | 3'}