Find out the key capabilities of secret scanners and what to consider when searching for a solution.
Background
In today’s software development ecosystem, software architectures rely on rapid communication between microservices and access to cloud and third-party resources. Facilitating these transactions are a multitude of authentication credentials, commonly referred to as secrets.
Managing these secrets securely is no easy feat since they play a role in every step of the SDLC: from SCM systems through CI/CD pipelines and finally into cloud infrastructure. A common place for secrets to appear is in source code - data gathered by Legit Security indicates that, on average, 12 valid secrets are found per 100 repositories. Once a secret reaches a Git-based repo, finding and removing it becomes especially challenging as it may be tucked away, hiding in a side branch, and still copying itself onto every developer's machine, possibly finding its way to the public domain.
Yet code repositories are far from the only place secrets can end up. Through mistakes or mismanagement, they can also make their way to artifacts and containers, build logs, cloud assets, and sometimes even wikis. These locations can pose an even more significant threat, as they are often intentionally public, unlike source code that is usually kept privately.
What exactly is the scale of secret leak risks? It’s the second most common initial attack vector, according to IBM’s 2023 Data breach report. Recently, a GitHub personal access token belonging to a Mercedes-Benz employee was found in a public repository The discovery was subsequently disclosed, and evidence showed that the token held access to Mercedes code and other secrets, including valid AWS and Azure keys. While the original token was revoked, it remains to be seen if any malicious actor found it prior to the report and used it to access intellectual property or customer data. This incident shows that the inadvertent disclosure of even one sensitive secret can lead to a cascade of breaches that will undoubtedly be costly and difficult to remediate.
What should I look for when searching for a secrets scanning solution?
How should organizations handle the risk of secrets exposure? Training employees and keeping to best practices is helpful, but an effective secrets scanner should complement these steps. Here are a few points to take into consideration when looking for a new secrets scanner:
Comprehensive coverage
As mentioned above, secrets can end up in many places, such as your Git history, Docker containers, artifacts, and knowledge management systems (e.g., Confluence). Many scanners overlook this, focusing entirely on your source code. Look for a scanner that can cover as many of your systems as possible.
Production-grade capacity
Even though secret scanning is undoubtedly valuable, it can become a bottleneck if your tool can't handle your needs. You might have hundreds of code repos with thousands of code commits daily, some then going through CI/CD pipelines and ending up as artifacts. An unfit scanner could take hours to scan this, slowing you down. Most scanners are based on open-source tools, which are not optimized for enterprises and lack proper low-level implementation. You should opt for one that can take the load in stride.
Context-based assessment
Not all secrets are created equal; some pose a greater risk than others. Secrets can differ in the resources they safeguard, the ease of theft, and the validity status. A valid secret in a public repo requires an urgent response, while an invalid secret in Confluence might not. Choose scanners that consider these factors and employ a prioritized approach to securing your assets.
Reliable detection
As with any detection tool, secrets scanners are prone to make some errors, either by flagging innocent text as a secret (false positive) or by missing a secret (false negative). False negatives are clearly more dangerous, and scanners worth considering should reduce them to a bare minimum, while keeping false positives from wasting precious time.
Management and response
All the above capabilities help scanners find an exposed secret, but what comes next? Remediation for exposed secrets can be just as tricky as detection, so choose a scanner that can help guide you through this process. Once a secret is found, your scanner should be able to alert you in a clear and immediate manner that fits your workflow (e.g., Slack) and assign a ticket in your organization’s ticketing system (e.g., Jira). After notifying you, your tool should help you prioritize remediations based on risk and offer practical steps to solve each issue.
Customization
Some secrets are unique to you and your needs. An effective scanner provides ways to customize policies, add secret types, and adjust the severity of existing secret types to reflect your detection needs. In addition, you need exception management to indicate specific file patterns you don’t want to be scanned or code lines that should be ignored. A tool that can adapt to your organization’s particular needs will boost effectiveness dramatically.
Prevention capabilities
Detecting leaked secrets is one way to address a breach, but the ideal way is to prevent it. Once a secret has reached its final destination in your Git repo or a production container, it’s already too late - it’s permanently recorded in the history, and removing it from the public domain and your developers’ machines is sometimes impossible. You need a scanner that can be deployed locally on your developers' machines or use pre-commit hooks to block sensitive information from ever reaching a dangerous environment. Remediation is much simpler when the secret gets caught early enough.
Legit is here to help
Having a secrets scanner that can check all these boxes can go a long way in strengthening overall security posture. Legit’s Secret Scanner provides a best-of-breed solution that covers everything we outlined in this post and more. Want to see for yourself? Book a demo with Legit Security today.
To learn more about secrets and their role in your software supply chain, read Legit Security’s latest white paper.
