Base64 High Entropy String

Bridgecrew Policy ID: BC_GIT_6
Checkov Check ID: CKV_SECRET_6
Severity: LOW

Base64 High Entropy String


Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. This policy calculates entropy levels using a Shannon Entropy calculator. The entropy levels of keys are important, as the more or less information required to determine unknown key variables can alter how difficult it is to crack. If a high-entropy string is detected, the string is printed to the screen.

This check scans the branch and evaluates the entropy value for both the base64 character set for every blob of text.

Fix - Git

Step 1: Revoke the exposed secret.
Start by understanding what services were impacted and refer to the corresponding API documentation to learn how to revoke and rotate the secret.

Step 2: Clean the git history.
Go under the settings section of your GitHub project and chose the change visibility button at the bottom.

Step 3: Check any relevant access logs to ensure the key was not utilized during the compromised period.

Fix - Terraform

resource "aws_glue_connection" "examplevpc" {
  connection_properties = {
    JDBC_CONNECTION_URL = "jdbc:mysql://${aws_rds_cluster.example.endpoint}/exampledatabase"
 -   PASSWORD            = "valuethatdoesntcontainsecretword"
    USERNAME            = "exampleusername"

  name = "example"

  physical_connection_requirements {
    availability_zone      = aws_subnet.example.availability_zone
    security_group_id_list = []
    subnet_id              =

Don't hardcode the secret in the resource, pull in dynamically from a secret source of your choice e.g. AWS parameter store, and if already committed to source follow the git instructions stated previously.

Did this page help you?