Back to Infisical

Secret Insights

docs/documentation/platform/insights.mdx

0.161.1210.0 KB
Original Source
<Note> Secret Insights is a paid feature.

On Infisical Cloud it is available on the Pro and Enterprise plans, If you're self-hosting Infisical, contact [email protected] to acquire a license. </Note>

Secret Insights is an observability dashboard for your Secrets Management project. It surfaces the questions you care about most — Which secrets are due for rotation? Which reminders are overdue? What hasn't been touched in months? Who's actually reading my secrets? — and links you straight to the secrets you need to act on.

The page is read-only. Every metric is computed from data already collected by Infisical (rotation schedules, reminders, secret modification times, access logs), so there's nothing to configure to start using it.

Accessing Insights

From a Secret Manager project, open the Insights tab in the project sidebar. The page is divided into four sections:

  • Summary Cards — three at-a-glance counters for rotations, reminders, and stale secrets.
  • Audit Reports — Generate point-in-time compliance exports.
  • Rotation & Reminder Calendar — a month-by-month view of every upcoming rotation and reminder.
  • Secret Access Volume — read-request trends over the past 7 days, plus the top callers.
  • Authentication Methods — how identities are authenticating to read secrets, over the past 30 days.

The page also includes an Audit Reports card for generating exportable compliance reports — see Audit Reports.

Summary

The three cards along the top of the page give you a quick read on what needs attention. Each card opens a popover with a table you can drill into; clicking a row jumps directly to the matching secret in the Overview page with the appropriate filters applied.

Upcoming Rotations

Counts secret rotations scheduled to run in the next 7 days.

A status badge on the card calls out failed rotations:

  • A green badge reads No failed rotations when everything is healthy.
  • A red badge shows {N} failed when one or more rotations are in a failed state and need investigation.

Click View Rotations (or View Failed Rotations) to see the full list. Each row shows the rotation name, environment, secret path, and a relative-time status (scheduled, in 3 days, retries in 1h, or failed). Click a row to open that rotation's secret in the Overview page filtered by rotation.

Upcoming Reminders

Counts secret reminders due in the next 7 days.

A status badge calls out overdue reminders:

  • A green badge reads No overdue reminders when you're caught up.
  • A red badge shows {N} overdue when reminders have passed their due date without being acknowledged.

Click View Upcoming Reminders (or View Overdue Reminders) to see the list. Each row shows the secret key, environment, path, and how soon it's due (or how long it's been overdue). Click a row to jump to that secret in the Overview page.

Stale Secrets

Counts secrets that haven't been modified in more than 90 days.

The card shows either All secrets up to date when nothing is stale, or {N} need(s) review when there are stale secrets to look at. The popover table is paginated 10 rows at a time and shows each secret's key, environment, path, and last-modified time. Click a row to open it in Overview.

Stale secrets aren't necessarily a problem — long-lived configuration values are normal. The list is meant as a prompt to review whether anything should be rotated, removed, or refreshed.

Audit Reports

Audit Reports let you generate point-in-time compliance exports for a Secrets Management project — stale secrets, duplicate values, validation-rule violations, rotation status, upcoming reminders, and secret access history — and deliver them to one or more recipients as CSV attachments (one file per report type) in an email.

Where the rest of the Insights dashboard is a live, read-only view, an Audit Report is a snapshot you can hand to an auditor, attach to a ticket, or archive for SOC 2 / ISO 27001 evidence. You'll find it as the Audit Reports card on the Insights page.

<Warning> Audit reports can contain sensitive metadata — secret keys, paths, access patterns, and recipient emails. They are delivered by email to the addresses you specify; only send reports to recipients you trust, and treat the CSV as confidential. </Warning>

Generating a report

  1. Open the Insights tab and find the Audit Reports card.
  2. Click Generate Report.
  3. In the dialog, select one or more report types.
  4. (Optional) Enter one or more email recipients, comma-separated. If you leave this blank, the report is sent to your own email.
  5. Click Generate Report.

The request is queued and generated in the background. When it finishes, every recipient receives an email with one CSV file attached per requested report. You can keep working — the report's status updates live in the history table.

<Note> Report generation is asynchronous. A project can have at most one report generating at once. </Note>

Report history

The Audit Reports card lists previously requested reports, newest first, paginated (10 per page by default). Each row shows:

  • Reports — the report type(s) included in that request. Hover to see the full list when multiple are combined.
  • Recipients — the email addresses of the recipients who has received the audit report.
  • Status — the generation status (see below). Hover a Failed or Partial badge for details.
  • Requested — when the report was requested.

Use the trash icon on a row to delete a report from the history (requires the Delete permission).

StatusMeaning
PendingQueued, not yet started.
GeneratingCurrently being generated.
CompletedGenerated and emailed successfully.
PartialDelivered, but at least one report hit the row limit and was truncated.
FailedGeneration failed. Hover the badge for the error message.

Report types

A single request can include any combination of the following. Each becomes its own labelled section in the CSV.

ReportWhat it contains
Stale SecretsSecrets not updated within the last 90 days, with their last-updated time and age in days.
Duplicate SecretsSecrets that share the same value across environments and paths, grouped together. Requires the project's secret blind-index to be enabled.
Secret Validation ComplianceStored secrets that violate a secret validation rule covering them — for example, a secret created before a rule existed, or one that no longer meets a length/regex/prefix constraint.
Upcoming RotationsSecret rotations scheduled within the next 7 days.
Failed RotationsSecret rotations currently in a failed state.
Upcoming RemindersSecret reminders due within the next 7 days.
Secret Access LogWho accessed secrets over the last 30 days (actor, event type, secret, environment, path, IP, timestamp).

Rotation & Reminder Calendar

The calendar panel shows every upcoming rotation and reminder laid out on a month grid, so you can see the cadence of upcoming work at a glance.

Navigation. Use the chevrons in the panel header to move between months. The current day is highlighted with a colored border.

Event pills. Each day cell shows up to two events; when there are more, the second slot is replaced by a +N more pill that expands the rest. Pills are color-coded:

ColorEvent Type
Blue, with a refresh iconRotation
Orange, with a bell iconReminder

Event details. Click a pill to view its details, then use the View in Overview button to jump to the corresponding secret in the project Overview with filters applied.

Secret Access Volume

This panel shows how many times secrets have been read across the project over the past 7 days, plotted as a daily area chart.

Each point represents the total number of read requests on that day, regardless of which secret was read or how it was read (UI, CLI, SDK, API, agent, operator, etc.).

Below the chart, the Top actors row lists the up-to-five identities that issued the most read requests in the same 7-day window, along with their request counts. Actor entries are formatted as {type}: {name} ({count}) — for example, Service: ci-runner (5,234) or User: [email protected] (812).

Use this panel to spot unusual spikes, identify the heaviest consumers of your secrets, and confirm that traffic patterns match what you expect from your services.

Authentication Methods

This panel shows the distribution of authentication methods used to read secrets over the past 30 days, plotted as a donut chart with a breakdown table beside it.

Each slice represents an auth method (for example, Universal Auth, Kubernetes Auth, AWS Auth, Token Auth, JWT). The breakdown shows the method name, percentage of total reads, and absolute request count, with a Total row at the bottom.

You may see an Unknown bucket. This represents older read requests that were issued before Infisical began recording the auth method on each request. Only newer requests carry this metadata, so the Unknown share will shrink over time as historical data ages out of the 30-day window.

Use this panel to understand how your workloads are authenticating, spot identities still using older auth methods you'd like to retire, and verify that auth-method migrations are taking effect.