Leaking Tickets: Secrets Exposure in ServiceNow (Part 2)

Securing Secrets and NHIs in SNOW with Entro

In part 1, we covered real-world ServiceNow incidents where secrets and sensitive data got exposed, from misconfigured knowledge bases to API keys and tokens pasted into support tickets. The takeaway was clear: SNOW has become a quiet exposure point for secrets. In this follow-up blog, we’ll show how Entro integrates with ServiceNow to scan, contextualize and remediate exposed secrets and non-human identities before they become a breach.

So Why Do SNOW Tickets Keep Leaking Secrets?

In our last blog, we outlined four key reasons secrets leak from ServiceNow environments. Here is a quick recap:

1. 1. Secrets in tickets – users sometimes paste non-human identities (NHIs) tokens and other credentials into tickets during troubleshooting, turning IT issues into long-term exposure points.

1. 1. Misconfigurations and access control gaps – Knowledge Base articles and attachments containing sensitive data are often exposed due to mis-scoped access controls or default public settings.

1. 1. Non-human identities in integrations – API keys and service accounts used in SNOW’s third party integrations are sometimes stored insecurely by users in tables or scripts (outside of SNOW dedicated Secrets Management).

1. 1. A broad, mixed-skill user base – ServiceNow isn’t just used by IT and helpdesk. Users often paste logs, screenshots or error messages into tickets. These can unintentionally contain secrets, like tokens in URLs or config files, without the user realizing it.

Even organizations that recognize these risks struggle to address them because ServiceNow lacks native secret scanning or DLP capabilities. While it offers strong access controls and PII masking, it doesn’t flag exposed secrets or plaintext NHI tokens across tickets, attachments or KBs.

That’s where Entro comes in.

How Entro Scans ServiceNow for Secrets and NHIs

Entro’s platform integrates directly with the enterprise ServiceNow ITSM (both on SaaS and on-prem) to scan across incidents, support tickets, knowledge bases, file attachments and other sources, identifying exposed secrets and NHI tokens that appear in plaintext.

The Most Complete Secrets & NHI Security for SNOW (2025)

Entro connects to the ServiceNow instance via secure API integration. As the most comprehensive secrets and non-human identity security solution for SNOW on the market, Entro scans the following components:

1. 1. Incident tickets, Problems and Change requests
      These are the core of the ITSM workflows, where employees report problems and ask for help, and IT teams troubleshoot. Entro scans ticket descriptions, comments and logs to identify secrets accidentally pasted during support requests.

1. 1. Knowledge Base (KB) articles
      KBs often contain internal documentation, runbooks and troubleshooting guides. Misconfigured or outdated articles may include secrets or tokens. Entro scans article content and associated comments for sensitive credentials.

1. 1. Configuration Management Database (CMDB) and asset records
      These contain detailed information about hardware, applications, cloud resources and services. Secrets sometimes end up in these records due to manual entries, embedded scripts or integrations. Entro scans these fields to surface misplaced credentials.

1. 1. File attachments
      Log files, screenshots, config dumps and exported reports are frequently attached to tickets and KBs. Entro scans attachments, including using Optical Character Recognition (OCR) for images and PDFs, to uncover embedded secrets.

From Ticket to Token: Full Context for Every Secret

When Entro discovers a secret in ServiceNow, it doesn’t stop at detection. It surfaces rich, actionable context to help security teams move fast and remediate the risk with clarity and confidence.

Each detected exposed secret in ServiceNow includes:

• • Where it was found: whether it’s in a support ticket, KB article, attachment, or config record, Entro pinpoints the exact source (URL) and exposure timestamp.

• • What kind of secret it is: from API keys to AWS IAM tokens, Entro classifies the secret type and presents a secure, partial snippet.

• • Who exposed it: leveraging the NHI ownership attribution model, Entro connects the SNOW exposure to a specific user, giving security teams an owner to follow up with or escalate to.

• • Who else can access it: Entro reveals who had access to the artifact (e.g., a SNOW ticket), mapping potential lateral exposure risk.

• • Where else it appears: Entro flags cross-platform occurrences to detect exposures across platforms like GitHub, Slack, the Atlassian suite, and more.

    

As shown on Feature 2, Entro doesn’t just say “a secret was found”,the GitHub Private Access Token (PAT) in the example above was buried in a ServiceNow ticket. Entro surfaced it with complete context – so the security team can act fast and act smart.

From Detection to Remediation: Entro Pushes Alerts Into ServiceNow

Entro’s platform doesn’t just scan ServiceNow, it can feed directly back into it. When a secret or NHI risk is detected, Entro can automatically create a new ServiceNow incident ticket using a dedicated webhook or a pre-configured API endpoint.

This additional integration closes the loop by feeding Entro’s findings into existing ITSM workflows, turning real-time detection into real-time response. Security teams can track, assign and escalate secrets and NHI risks using the same ITSM processes they already rely on. This results in streamlined remediation, faster resolution and enhanced visibility across your broader security stack.

Best Practices for Secrets Hygiene in ServiceNow

Even with advanced detection in place, practicing basic secrets hygiene within ServiceNow solutions can dramatically reduce risk. For a comprehensive overview of securing your ServiceNow instance, refer to the ServiceNow Security Best Practices Guide.

Here are a few foundational best practices to adopt around SNOW and NHIs:

1. 1. Adopt a regular rotation routine for secrets in your organization to reduce blast radius in case of exposure.

1. 1. Educate internal users (including support) to avoid inserting credentials or sensitive data into tickets or knowledge base articles.

1. 1. Sanitize ticket templates and troubleshooting forms that might encourage copying sensitive data.

1. 1. Restrict public KB access using strict user criteria and ACLs especially on cloned or outdated articles.

1. 1. Use SNOW scoped secrets for automations and integrations instead of hardcoded credentials in scripts or tables.

1. 1. Regularly audit attachments and config fields for embedded secrets especially in CMDB and asset records.

Secrets hygiene is a team effort but with visibility, context  and automation, it becomes a manageable one.

Start Securing Your NHIs on SNOW

Secrets and tokens don’t belong in tickets – but they end up there. Entro gives enterprises full visibility into exposed NHIs and secrets across ServiceNow, adds context and drives fast remediation.

Ready to see what’s hiding in your SNOW stack?
Request a demo and take control before the next leaking ticket finds you.