Secrets Scanner for Confluence

Find exposed credentials before attackers do.

Secrets Scanner is a Confluence Cloud admin app that automatically scans your spaces for accidentally shared API keys, passwords, tokens, and other sensitive credentials. It runs entirely within Atlassian's Forge platform — no external servers, no data leaving your Atlassian environment.

What It Does

Teams often paste credentials into Confluence pages during incidents, onboarding, or documentation sprints. Secrets Scanner continuously monitors your spaces and flags those exposures before they become a security incident.

  • Scan individual spaces or all spaces at once with one click

  • Results persist across sessions so nothing gets lost between visits

  • Findings are sorted by severity and capped at 500 per space

  • Raw credential values are never stored — only redacted, context-preserving summaries

What It Scans

Secrets Scanner inspects four content types on every page:

  • Page body — the current version of every page in a space

  • Page history — up to the full version history, with consecutive versions carrying the same secret grouped into a single finding

  • Footer comments — all threaded comments on each page

  • Attachments — text-based file attachments (JSON, YAML, shell scripts, SQL, and more) up to 512 KB

Secret Patterns Detected

The app detects 25 secret patterns across three severity levels:

High Severity

  • AWS Access Key, AWS Client ID, AWS MWS Key, AWS Secret Access Key

  • Azure Storage Account Key

  • GitHub Token, GitHub Fine-Grained Token

  • Google API Key, Google OAuth Access Token

  • GCP Service Account Key

  • Slack Token

  • Stripe Live Key

  • Twilio Auth Token

  • HL7 / FHIR API Token

  • Database Connection String (PostgreSQL, MySQL, MongoDB, JDBC, MSSQL)

  • Basic Auth URL (credentials embedded in a URL)

  • Private Key Block (RSA, EC, PKCS8, and others)

Medium Severity

  • JWT Token

  • Generic API Key

  • Generic Password

  • Generic Secret

  • Password / Secret Assignment

  • Google OAuth URL

Low Severity

  • High-Entropy String (base64-like strings with Shannon entropy above 4.5)

  • SSH Public Key (disabled by default)

Every pattern can be individually toggled on or off in the Configuration tab. Changes take effect on the next scan.

Compliance Mapping

Each finding is mapped to the relevant control in three compliance frameworks, available in the Overview → Compliance Report tab and exportable as CSV.

SOC 2 — Trust Services Criteria Covers CC6.1 (logical access controls), CC6.2 (authentication mechanisms), and CC6.7 (confidentiality). Exposed credentials are direct access-control failures that auditors flag during TSC assessments.

ISO 27001:2022 — Annex A Controls A.5.17 (authentication information management) and A.8.24 (use of cryptography) are violated when secrets appear in documentation systems.

HIPAA — Security Rule Technical Safeguards 45 CFR § 164.312 requires technical safeguards for electronic protected health information (ePHI). Exposed credentials risk unauthorised access to systems that store or transmit PHI. Specific controls include § 164.312(a)(1) Access Control and § 164.312(e)(2)(ii) Encryption & Decryption.

Dashboard

The Dashboard lists every Confluence space with its current scan status, finding count, and last scanned time. From here you can:

  • Scan — start a scan on a single space

  • Scan All Spaces — queue scans for every space simultaneously

  • View Results — drill into findings for any scanned space

  • Export All Findings — download a CSV of every finding across all scanned spaces

  • Reset — clear a scan that is stuck or that you want to rerun from scratch

Scans run entirely in the background via a Forge event queue. You can close the tab and return later — results are saved automatically.

Results View

When you open a space's results, each finding shows:

  • Severity — HIGH, MEDIUM, or LOW

  • Type — the matched secret pattern

  • Page — a direct link to the Confluence page where the secret was found

  • Page Version — if the secret was found in a historical version, the version number or range is shown

  • Content Type — page body, comment, or attachment

  • Matched Text — a redacted preview of the matched string

Click View Detail on any finding to see the surrounding context (the 150 characters before and after the match), compliance framework mappings, and a direct link to the exact page version.

Export findings for a single space using the Export CSV button.

Overview

The Overview section provides a cross-space security posture summary, refreshed automatically on every visit.

Overview Report tab

  • KPI cards: total secrets, high-severity count, spaces at risk, and average Mean Time to Resolve (MTTR)

  • Severity breakdown with relative bar charts

  • Findings over time — a cumulative trend chart and table showing how your exposure count has changed across scan dates

  • Top Risky Spaces — up to 10 spaces ranked by finding count, with trend indicators and MTTR per space

Compliance Report tab

  • Findings broken down by SOC 2, ISO 27001, and HIPAA

  • For each framework: affected controls, triggered patterns, and finding count

  • Export a compliance-mapped CSV for use in audit evidence packages

Scheduled Automation

In Configuration → Automation, you can enable automatic recurring scans across all spaces without any manual intervention.

  • Toggle scheduled scanning on or off

  • Set any valid 5-field UTC cron expression (minute · hour · day-of-month · month · day-of-week)

  • Use quick presets: Daily at 2 AM, Weekly on Monday, Every 6 hours, or Monthly on the 1st

  • The UI previews the next scheduled run time as you type

  • The last automated scan's status (success or failure) is shown with its timestamp

Note: The Forge platform fires triggers every 5 minutes. Scans may start up to 5 minutes after the exact cron time. The minimum effective interval is every 5 minutes — shorter expressions behave identically to */5.

Requirements

  • Confluence Cloud

  • A valid Atlassian Marketplace license

The app requires the following Confluence permissions, requested at install time:

PermissionPurposeRead spacesList all Confluence spacesRead pagesRead page content and version historyRead commentsRead footer commentsRead attachmentsRead attachment metadata and contentApp storageSave scan results, history, and configuration

Privacy and Security

Secrets Scanner does not transmit any data outside your Atlassian environment. All scanning, storage, and processing runs on Atlassian's Forge infrastructure. Raw credential values are never persisted — only a redacted preview and the surrounding context are stored.

Support

For bug reports or feature requests, contact us via the Atlassian Marketplace listing page.