Output Format
Secret Scan Results
The plugin generates secret scan results in the following standardized format:
{
"type": "secret",
"timestamp": "2025-12-15T12:13:41-05:00",
"urn": "urn:secret:name:test/database/mysql-prod:5eba86d3-c1be-47dc-95ee-0da8d188fd76",
"url": "https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#/secret?name=arn:aws:secretsmanager:us-east-1:558162184545:secret:test/database/mysql-prod-bpkYrP",
"extra": {
"account_id": "558162184545",
"created_date": "2025-10-22T18:29:42Z",
"current_version": "5eba86d3-c1be-47dc-95ee-0da8d188fd76",
"description": "Production MySQL database credentials",
"expiration_date": "",
"last_access_time": "",
"last_modified_date": "2025-10-22T18:29:43Z",
"name": "test/database/mysql-prod",
"platform_type": "aws",
"region": "us-east-1",
"revision": "5eba86d3-c1be-47dc-95ee-0da8d188fd76",
"rotation": {
"enabled": false
},
"status": "active",
"version_count": 1
}
}
URN Generation: The urn field is generated using the secret name and current version ID for uniqueness and consistency.
Error Output: If an error occurs, the plugin outputs a structured JSON object with error details under data.errorDetails and a summary message in data.errorMessage.
Field Descriptions
type: Always "secret" for secret assetstimestamp: RFC3339 timestamp of when the scan was performed (e.g., "2024-08-25T10:30:00-04:00"). May include a timezone offset or Z for UTC, depending on system configuration.urn: Unique identifier generated from secret name and versionurl: Direct link to secret in AWS Consoleextra: Additional metadata from Secrets Manager (see Extra Fields section below)
Extra Fields
The extra object contains AWS-specific metadata about the secret. The following fields are included:
Standard Fields (Always Included)
platform_type(string): Always"aws"indicating the secret is from AWS Secrets Managername(string): Name/identifier of the secret (e.g.,"test/database/mysql-prod")created_date(string): ISO 8601 timestamp of when the secret was created (e.g.,"2025-10-22T18:29:42Z")last_modified_date(string): ISO 8601 timestamp of when the secret was last modified (e.g.,"2025-10-22T18:29:43Z")expiration_date(string): ISO 8601 timestamp of when the secret expires or was deleted (empty string if not applicable)status(string): Current secret state (values:"active","deleted")rotation(object): Secret rotation configurationenabled(boolean): Whether automatic rotation is enablednext_rotation_date(string): ISO 8601 timestamp of the next scheduled rotation (only present when rotation is enabled)lambda_arn(string): ARN of the Lambda function used for rotation (only present when rotation is enabled)rotation_rules(object): Rotation schedule rules (only present when rotation is enabled)automatically_after_days(integer): Number of days between automatic rotationsduration(string): Duration window for rotationschedule_expression(string): Cron or rate expression for rotation schedule
revision(string): Current version ID of the secret (UUID format)current_version(string): Current version ID of the secret (same as revision, UUID format)version_count(integer): Total number of versions for this secretlast_access_time(string): ISO 8601 timestamp of when the secret was last accessed (empty string if not available)region(string): AWS region where the secret is stored (e.g.,"us-east-1")
Conditional Fields (Included When Available)
account_id(string): AWS account ID extracted from the secret ARN (only included if successfully extracted from ARN)description(string): User-provided description of the secret (only included if non-empty)kms_key_id(string): ARN or ID of the KMS key used to encrypt the secret (only included if non-empty)tags(object): Key-value pairs of tags associated with the secret (only included if tags exist)
Note: The plugin extracts only metadata about secrets, not the actual secret values themselves. All timestamp fields use ISO 8601 format.