Secrets Scans

[TBD]

Outcome

• Secrets scanning is executed on every contribution to the source code management (SCM) system.
• All findings are integrated into the vulnerability management program.
• Scanning tools are properly customized to reduce false positives:
• Detection rules are tailored to align with specific business and technical requirements.
• Irrelevant or non-applicable rules are disabled based on the project's context.
• Developers receive immediate feedback on findings, ideally during pull request (PR) reviews within the SCM platform.
• Secrets following defined patterns are detected and blocked before they can be committed to the SCM.
• A clear and documented process is in place for properly removing secrets from source control and invalidating exposed credentials.
• A standardized format is defined for organization-generated secrets, where possible, and custom detection rules are implemented to identify them in code.

Metrics

Metrics for this topic are included in Vulnerability Management

Tools & Resources

• TruffleHog (Free)
• GitLeaks (Free)
• Github's Push Protection (Paid)

Further Reading

• Removing sensitive information from a repository
• Phantom Secrets: Undetected Secrets Expose Major Corporations