The latest version of ThreatMapper, an open source security observability platform, now comes with a tool to scan for secrets in production workloads and maintain a runtime software bill of materials, says Deepfence, the company maintaining the tool.
ThreatMapper is a cloud-native tool security teams can use to scan, map, and rank vulnerabilities and other potential security issues in serverless, Kubernetes, container, and multicloud environments. Deepfence released ThreatMapper as an open source tool last October.
In the latest update, Deepfence added the popular SecretScanner tool to ThreatMapper to scan production workloads and container images in registries and report whether any sensitive secrets – such as API keys, passwords, encryption keys, authentication tokens, and other sensitive credentials – have been left behind. SecretScanner can look for over 140 different secret types, Deepfence says. With this capability, security teams get a complete list of all sensitive secrets exposed in the production environment. SecretScanner can be accessed through the ThreatMapper user interface as well as the API.
ThreatMapper 1.3.0 also now has the ability to enumerate a software bill of materials at runtime. By looking at what is actually running in production environments – packages, processes, and other activities – users would be able to detect whether anything new has been added without their awareness.
Read more about the new features in ThreatMapper 1.3.0 from Deepfence.