Secrets Scans
[TBD]
Outcome
- Secrets scanning is executed on every contribution to the source code management (SCM) system.
- All findings are integrated into the vulnerability management program.
- Scanning tools are properly customized to reduce false positives:
- Detection rules are tailored to align with specific business and technical requirements.
- Irrelevant or non-applicable rules are disabled based on the project's context.
- Developers receive immediate feedback on findings, ideally during pull request (PR) reviews within the SCM platform.
- Secrets following defined patterns are detected and blocked before they can be committed to the SCM.
- A clear and documented process is in place for properly removing secrets from source control and invalidating exposed credentials.
- A standardized format is defined for organization-generated secrets, where possible, and custom detection rules are implemented to identify them in code.
Metrics
Metrics for this topic are included in Vulnerability Management
Tools & Resources
- TruffleHog (Free)
- GitLeaks (Free)
- Github's Push Protection (Paid)