Output Format

Scan Results

Each discovered secret generates a result with the following structure:

{
    "type": "secret",
    "timestamp": "2025-12-15T12:20:46-05:00",
    "urn": "urn:secret:name:database-password:1",
    "url": "https://console.cloud.google.com/security/secret-manager/secret/database-password/versions?project=gcp-project-corp-dev-discovery",
    "extra": {
      "created_date": "2025-11-14T17:55:33.143792Z",
      "current_version": "1",
      "labels": {
        "environment": "test",
        "team": "backend"
      },
      "last_modified_date": "2025-11-14T17:55:34.492888Z",
      "location": "automatic",
      "name": "database-password",
      "platform_type": "gcp",
      "project_id": "gcp-project-corp-dev-discovery",
      "replication": {
        "automatic": {}
      },
      "replication_status": {
        "automatic": {}
      },
      "revision": "1",
      "rotation": {
        "enabled": false
      },
      "status": "enabled",
      "version_count": 1,
      "version_details": {
        "client_specified_payload_checksum": true,
        "create_time": "2025-11-14T17:55:34.492888Z",
        "etag": "\"164391b44c76d8\"",
        "name": "projects/415567878177/secrets/database-password/versions/1"
      }
    }
}

Output Fields

Field

Description

type

Always "secret" for secret assets

timestamp

RFC3339 timestamp of when the scan was performed

urn

Unique resource name following format urn:secret:name:{secret-name}:{version}

url

Direct link to the secret in Google Cloud Console

extra

Additional metadata (see Extra Fields section below)

Extra Fields

The extra object contains GCP-specific metadata about the secret.

Standard Fields (Always Included)

  • platform_type (string): Always "gcp" indicating the secret is from GCP Secret Manager
  • name (string): Secret name/identifier
  • project_id (string): GCP project ID containing the secret
  • created_date (string): ISO 8601 timestamp of when the secret was created
  • last_modified_date (string): ISO 8601 timestamp of when the current version was created
  • status (string): Current secret version state (values: "enabled", "disabled", "destroyed")
  • revision (string): Current version number
  • current_version (string): Current version number (same as revision)
  • version_count (integer): Total number of versions for this secret
  • rotation (object): Secret rotation configuration
    • enabled (boolean): Whether automatic rotation is enabled
    • next_rotation_time (string): ISO 8601 timestamp of next scheduled rotation (only present when rotation is enabled)
    • rotation_period (string): Duration between rotations in seconds format (e.g., "2592000s" for 30 days) (only present when rotation is enabled)

Conditional Fields (Included When Available)

  • location (string): Replication location (value: "automatic" for automatic replication, or specific location for user-managed replicas)
  • expiration_date (string): ISO 8601 timestamp when the secret expires (only present if expiration is set)
  • version_details (object): Detailed information about the current version (only present if version information is available)
    • name (string): Full resource name of the version
    • create_time (string): ISO 8601 timestamp of version creation
    • etag (string): Version entity tag for concurrency control
    • destroy_time (string): Timestamp when version was destroyed (only present if destroyed)
    • scheduled_destroy_time (string): Timestamp when version is scheduled for destruction (only present if scheduled)
    • client_specified_payload_checksum (boolean): Whether client specified a payload checksum (only present if true)
  • labels (object): Key-value pairs of user-defined labels (only present if labels exist)
  • annotations (object): Key-value pairs of annotations (only present if annotations exist)
  • ttl (string): Time-to-live duration for the secret (only present if TTL is set)
  • version_destroy_ttl (string): Duration before version destruction (only present if set)
  • topics (array of objects): Pub/Sub topics for notifications (only present if topics are configured)
  • replication (object): Replication configuration details (only present if replication is configured)
    • automatic (object): Automatic replication settings (present for automatic replication)
    • user_managed (object): User-managed replication settings (present for user-managed replication)
      • replicas (array): List of replica locations
  • replication_status (object): Current replication status (only present if replication status is available)
    • automatic (object): Status for automatic replication
    • user_managed (object): Status for user-managed replication

Note: The plugin extracts only metadata about secrets, not the actual secret values themselves. All timestamp fields use ISO 8601 format.