Scan Code for Hard-Coded Secrets
Description
Hard-coded secrets can be exploited by attackers to gain unauthorized access to password-protected assets. Jit integrates the secret detection into CI/CD via a scanner that automatically runs a full scan of your repositories after activation. Scans are also initiated for every subsequent pull request.
Stack layer | Security domain | Security tool initiated by this item |
---|---|---|
Application Security | Secret detection | Gitleaks, TruffleHog |
By default, Jit scans for secrets using Gitleaks. Alternatively, you can enable TruffleHog by appending the following snippet to the bottom of your jit-plan.yml
located in your organization's centralized repository (typically that would be .jit
repository).
override:
workflows:
secret-detection:
jobs:
secret-detection:
enabled: false
secret-detection-trufflehog:
enabled: true
In order to only scan for verified secrets, use this extended snippet:
override:
workflows:
secret-detection:
jobs:
secret-detection:
enabled: false
secret-detection-trufflehog:
enabled: true
steps:
- name: Run Trufflehog
uses: registry.jit.io/control-trufflehog-alpine:latest
with:
args: filesystem ${WORK_DIR:-.} --json --only-verified
env:
SECURITY_CONTROL_OUTPUT_FILE: /tmp/final-findings.json
Additional information
- By default, TruffleHog creates findings for all detected secrets and tags them with
Verified
orUnverified
. If you use the--only-verified
flag, Trufflehog will not create findings for unverified secrets.- You can entirely disable secret verification in Trufflehog using the
--no-verification
flag.
Updated about 1 year ago