Secrets Scanning

Overview

A Secret is a programmatic access key that provides systems with access to information, services or assets. Developers use secrets such as API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and passphrases to empower their applications to securely communicate with other cloud services. These keys are often explicitly stored in local or feature branches before being pushed to a main branch.

Git-based Version Control Systems (like GitHub, GitLab) cannot store secrets securely, possibly creating vulnerabilities that can be exploited. Typically this happens when developers leave their secrets in the source code. Once a secret is committed into a Git repo, it is saved in its history forever and any user can easily see and use those keys. This is especially dangerous if a repo and its contents are made public, making that resource easily found and utilized by threat actors.

Bridgecrew is able to detect Secrets in IDEs, Git-based VCS, and CI/CD executions.

Scanning for Secrets

Bridgecrew utilizes domain-specific detectors and generic syntax detectors to detect specific types of secrets such as AWS access keys, in addition to other secret scanning algorithms. Our detectors rely on open source contributions as well as in-house tweaks introduced by Bridgecrew Security Engineering.

Analyzing Secrets

The Secrets scanning feature uses the Bridgecrew list of polices which are categorized as Secrets. See Policies for more information. The results of the Secrets scan appear in the Incidents pane.

The results screen is broken down into two parts.

  1. Policy vulnerability results
  2. Vulnerability details

Policy Failure Results

This pane displays the a short summary and the number of policies that contain vulnerabilities.

Use the filter to view of specific types, or all of vulnerabilities that have been discovered. Use the Secrets filer to view only the results for Secrets scanning.

Press on a result in the list to view the details of the policy violation. After a policy has been selected, a list of discovered vulnerabilities will be displayed. Select a vulnerability from the list to see the details.

Vulnerability Details

This pane displays the details of the discovered vulnerability and provides actions that can be applied to it.

The vulnerability details pane provides information and actions for the selected vulnerability.

  1. Policy category, severity information and Policy ID
  2. A menu to view information regarding the policy violation
    a. Errors— list of potential violations (errors) in the policy
    b. Surpressed—list of resources that have been surpressed
    c. Fixed—list of errors that have been fixed
    d. Guidelines—a description of the policy and and methods to use to fix the vulnerability
  3. Applicable actions to the selected policy. Actions are dynamic and may not be applicable to all policies.
    a. Create Issue—creates an issue for tracking and fixing
    b. Surpress—surpresses the selected vulnerability
    c. Fix—begins the process of fixing the selected vulnerability
  4. Resource (file) where the vulnerability has been discovered and the associated account ID
  5. Vulnerability details including lines within the file with the highlighted vulnerability
  6. Resource history

Did this page help you?