* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/)
* Agentless Secrets Scannin...

# Agentless Secrets Scanning with Prisma Cloud

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fagentless-secrets-scanning%2F)  
[](https://twitter.com/share?text=Agentless+Secrets+Scanning+with+Prisma+Cloud&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fagentless-secrets-scanning%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fagentless-secrets-scanning%2F&title=Agentless+Secrets+Scanning+with+Prisma+Cloud&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/agentless-secrets-scanning/&ts=markdown)  
\[\](mailto:?subject=Agentless Secrets Scanning with Prisma Cloud)  
Link copied  
By [Omri Cohen](https://www.paloaltonetworks.com/blog/author/omri-cohen/?ts=markdown "Posts by Omri Cohen")  
Oct 10, 2023  
5 minutes  
[Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown)  
[AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown)  
[Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown)  
[Secrets scanning](https://www.paloaltonetworks.com/blog/tag/secrets-scanning/?ts=markdown)  
[Secrets Security](https://www.paloaltonetworks.com/blog/tag/secrets-security/?ts=markdown)

Passwords, encryption keys, API tokens --- protecting any confidential data that grants access to systems, applications, or data is paramount. All too commonly, though, access credentials are embedded in code or stored in plaintext files, leaving organizations vulnerable to security breaches. Given the extent of secrets sprawl and the mercurial landscape of cyberthreats, the need for [comprehensive secrets detection](https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-security-across-files-repositories-pipelines/?ts=markdown) is greater than ever.

While scanning for secrets hidden within IaC or code repos is a good start, secrets can still make their way into deployed workloads, potentially exposing the organization to unauthorized access and compromise of data confidentiality. Effective secrets scanning requires a holistic approach from code to cloud.

The Prisma Cloud team is happy to announce our release of agentless secrets scanning, a new layer of protection designed to ensure your cloud workloads remain free from unintentional secrets exposure.

## The Need for Agentless

Agent-based solutions rely on partially effective methods for secrets detection. While they could uncover some secrets, these solutions are often too limited in scope and fail to provide complete coverage.

The primary issues with these traditional methods lie in their inability to efficiently scan for secrets across the entire filesystem due to the scan being resource intensive in nature, and the inability to scan non-running workloads. These two shortfalls leave organizations vulnerable to potential security breaches.

## Not All Agentless Solutions Are Equal

Because a secrets scanning solution is [agentless](https://www.paloaltonetworks.com/cyberpedia/what-is-the-difference-between-agent-based-and-agentless-security?ts=markdown) doesn't mean it's effective. Some agentless solutions rely on predefined directories or paths within the file system where secrets are traditionally expected to be stored. But this approach presents several issues:

1. Organizations may remain unaware of secrets until a specific path is recognized as one that should be scanned.
2. Exploits using a particular secrets path may exist in the wild before that path is included in the product.
3. If an application changes its default path for storing secrets, it can take time to detect and incorporate this change into the security product.
4. Users have the flexibility to use non-default paths for storing secrets.

## A New Approach to Secrets Detection

Users can now find secrets in production environments without having to deploy agents. In fact, this powerful feature is available out of the box with Prisma Cloud.

With agentless scanning by Prisma Cloud, organizations can confidently search for secrets hidden in plain sight within running and non-running workloads across all major cloud service providers such as AWS, GCP, Azure and OCI.

Agentless secrets scanning doesn't require additional configuration and is integrated seamlessly with the existing agentless scanning capabilities available within Prisma Cloud.
![Lab instance showing the percentage of workloads that contain secrets and the ability to dig down on a single workload](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-305901-1.png)
Figure 1: Lab instance showing the percentage of workloads that contain secrets and the ability to dig down on a single workload

## The Agentless Advantage

The key differentiator that sets agentless secrets scanning apart is its ability to operate in an offline manner --- it doesn't impact the performance of running instances. Unlike CPU and memory-intensive methods of scanning using agents and risking degradation of the production environment, this technology operates seamlessly without the need for resource-hungry agents. This means that organizations can conduct thorough secrets scans without compromising system performance or consuming excessive computing resources.

## Unparalleled Coverage

Prisma Cloud agentless secrets scanning offers extensive coverage and adaptability. In contrast to many other cybersecurity products, Prisma Cloud's agentless secrets scanning doesn't rely on predefined paths or directories within the filesystem where secrets are conventionally expected to be located.

Conducting searches for secrets throughout the entire filesystem, regardless of their potential hiding places helps increase coverage. This broader scope increases the effectiveness of detecting sensitive information and uncovering concealed vulnerabilities or latent security risks lurking within the system.

Additionally, the scanning capability supports detection of an unparalleled range of secret types, including application keys, private keys, passwords, API tokens, configuration files, cloud keys and credentials for all CSPs --- AWS Secret and Access Keys, Azure Service Principals, and GCP Service Account Auth Keys, to name a few.
![Secrets detected on a container image](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-305901-2.png)
Figure 2: Secrets detected on a container image ![Single secret detection entry](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-305901-3.png)
Figure 3: Single secret detection entry

By offering comprehensive coverage and cross-cloud compatibility, agentless secrets scanning represents a robust and adaptable approach to cybersecurity that addresses the evolving needs of modern organizations.

## Code-to-Cloud Secrets Scanning

In the era of [DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops?ts=markdown), with security integrated into the development process, agentless secrets scanning aligns perfectly with essential practices. [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/secrets-security?ts=markdown) offers a code-to-cloud approach, enabling teams to detect secrets throughout the development lifecycle --- and resolve secrets vulnerabilities before they're exploited.

Prisma Cloud's agentless secrets scanning represents a significant leap forward in secrets detection technology. And it's available for both SaaS and Compute Editions, making sure that organizations of all sizes can take advantage of this cutting-edge security feature.

## Learn More and Equip Your Team with Actionable Insights

Learn how to effectively eliminate exposed credentials, safeguard your cloud-native stack, and implement a comprehensive secrets management strategy with [6 Secret Security Tips for Cloud-Native Stacks](https://start.paloaltonetworks.com/secrets-management-checklist.html).

*** ** * ** ***

## Related Blogs

### [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Application Security in the Cloud: Introducing a Modern Framework](https://www.paloaltonetworks.com/blog/cloud-security/ci-cd-pipeline-security-strategy/)

### [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Palo Alto Networks and Veracode: Unifying Application Security from Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/application-security-veracode-partnership/)

### [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### How Cortex Cloud and Semgrep Are Redefining AI-Driven Application Security](https://www.paloaltonetworks.com/blog/cloud-security/application-security-semgrep-partnership/)

### [API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/api-security/?ts=markdown), [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### API Security and Threat Intelligence Reduce Attack Surface in Prisma Cloud Workload Protection Release](https://www.paloaltonetworks.com/blog/cloud-security/api-security-threat-intel-reduce-attack-surface/)

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown)

[#### An Inside Look into ASPM: Five Findings from New Industry Research](https://www.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/)

### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown)

[#### The New Security Operating Model for Cloud and AI Workloads](https://www.paloaltonetworks.com/blog/network-security/the-new-security-operating-model-for-cloud-and-ai-workloads/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language