With the secrets of over 2m corporations already leaked, it is time to mandate action to plug the preventable gaps
In DevSecOps, collaboration and consistency are key. Not only in software development, but when it comes to collaboration on Git repositories, where the word “key” takes on a whole new meaning.
Whether it is API keys, passwords, or digital certificates—the secrets used to authenticate access and rights-of-use must remain secure. The open nature and convenience of Git repositories are often encumbered by human error. Lack of education on security best practices, inattention to details, or just plain nonchalance are leading to secrets (keys) exposure on a scale that we have never seen.
At the moment, hundreds of thousands of secrets have been known to have been leaked on public Git repositories, including over 2m secrets of corporations in 2020 alone. Bad actors are consistently using Git scanning technologies in an effort to extract secrets from the public and badly configured Git repositories, which may contain useful information to exploit.
As awareness of this issue grows, new tools and technologies are emerging to provide additional security layers through the software development life cycle. Here are nine Git secret scanning tools to consider.
An open-source static analysis command-line tool released under the MIT license. The gitLeaks tool is used to detect hard-coded secrets like passwords, API keys, and tokens in local and GitHub repositories (private and public)
- Open-source project that is free to use and actively developed with more than 50 contributors
- Includes integration, audit, and cloning features that are not available in most open-source projects
- No user interface and limited integration options
- Mostly only suitable for security professionals, researchers, or niche development projects
An open-source command-line tool used to scan developer commits and “–no-ff” merges to prevent secrets from accidentally entering Git repositories.
- Ability to integrate into the CI/CD pipeline to monitor commits in real-time
- Unique security-centric feature includes support for a “Secret Providers” feature that can prevent secrets from ever showing up in a commit
- Scans often result in false-positives
- Project no longer maintained on a regular basis and may not be suitable for use in a professional development environment
An open-source static code analysis tool designed to search for hardcoded credentials and dangerous functions. It can run as a command-line tool or integrated into your CI/CD pipeline.
- Supports a wide range of secret detection formats, covering passwords, AWS keys, API tokens, sensitive files, dangerous functions, and more
- Includes a plug-in system that can be used to further extend its scanning capabilities to new file formats
- Does not perform deep scans on actual code, mostly focusing on structured text files
- Scanning rules are based on a limited combination of regular expressions, Base64 and ASCII detection
GitHub Secret Scanning
This tool makes available its own integrated secret scanning solution, capable of detecting popular API Key and Token structures.
- Easy to visualize the scanning, configuration, and integration process
- Extensive API Key and Token string structure support for many of the web’s popular services are included with the service, offering a strong starting base to any security evaluation
- Secret scanning for private repositories is currently in beta
- The service as a whole mostly targets known string structures such as API Keys and Tokens while ignoring other secrets such as database passwords, email addresses, administrative URLs, etc.
A straightforward tool capable of scanning and cloning repositories. It attempts to discover usernames, passwords, and emails that should not be included in code or configuration files.
- A simple tool that can be used to quickly scan repositories for obvious secrets
- Lacks the features and flexibility required by commercial development teams
A comprehensive open-source security audit tool. Scan provides strong integration with popular repositories and pipelines and supports a broad section of popular frameworks and languages, integrates into the CI/CD pipeline to provide real-time commit protection, and provides extensive reporting capabilities.
- Well-maintained open-source nature
- Possibly one of the most powerful and flexible DevSecOps tools you can get for free
- Sparse user interface and complex setup limits best results from the feature set
- Interesting concept that tries to enhance secret scanning results by not relying on a single algorithm
- Relies on basic algorithms
- The project is no longer actively maintained
An actively maintained open-source project designed with the enterprise client in mind. It was created to prevent new secrets from entering the code base, detect if preventions are explicitly bypassed, and provide a checklist of secrets to maintain in a secure storage.
- Avoids the overhead of scanning through entire Git histories
- Avoids the need to scan the entire repository every single time
- Excellent plugin support, with 18 different plugins currently available.
- The pre-commit hook implements only basic heuristics to try and prevent obvious secrets from being committed
- If secrets are split across multiple lines or do not include enough entropy, they may not be detected in real-time
This commercial tool by an Israeli startup now acquired by Check Point, offers some of the most comprehensive secret scanning solutions, integrating into every facet of the build process, with simple integration options that can be enhanced using plugins and hooks.
- Intuitive user interface, making it suitable for corporate management
- As more data is processed by the system the AI and ML algorithms can increase detection rates and reduce false positives over time
- Spectral is designed for a development team collaborating on a large codebase. It is not suitable for small projects or single developers
So there you have it. It is hard to understate the importance of secret leakage prevention. A misplaced/exposed key or database password could become an instant crisis as malicious actors are constantly using Git scanning engines to extract secrets from public and/or badly configured Git repositories.
It is therefore an absolute mandate in every firm’s software development pipeline/workflow to review and implement secrets scanning solutions.