Skip to content

Secrets Scans

[TBD]

Outcome

  • Secrets scanning is executed on every contribution to the source code management (SCM) system.
  • All findings are integrated into the vulnerability management program.
  • Scanning tools are properly customized to reduce false positives:
  • Detection rules are tailored to align with specific business and technical requirements.
  • Irrelevant or non-applicable rules are disabled based on the project's context.
  • Developers receive immediate feedback on findings, ideally during pull request (PR) reviews within the SCM platform.
  • Secrets following defined patterns are detected and blocked before they can be committed to the SCM.
  • A clear and documented process is in place for properly removing secrets from source control and invalidating exposed credentials.
  • A standardized format is defined for organization-generated secrets, where possible, and custom detection rules are implemented to identify them in code.

Metrics

Metrics for this topic are included in Vulnerability Management

Tools & Resources

Further Reading