Secrets Detection
Key things to know about Jit Secrets Detection
- Brief description: Scan your codebase for hardcoded secrets like cloud tokens, API keys, and passwords.
- Scanning process: Scanning takes place periodically across your entire codebase (or selected repositories), and during every code change introduced by your developers.
- How to get started: Jit Secrets Detection is automatically activated when you onboard Jit, which scans your selected repos/projects and records security findings in the Backlog page, while implementing continuous scanning for every code change in GitHub, GitLab, or your IDE.
- Based on GitLeaks and Trufflehog: Jit unifies and enhances the leading open source scanners for all product security scanning technologies. For Secrets Detection, we provide the option to use GitLeaks or Trufflehog — automatically orchestrating these scanners so you don't have to configure or run them yourself.
- Test Jit Secrets Detection: Test Jit Secrets Detection by creating a pull request in GitHub or merge request in GitLab with this deliberately insecure code snippet. Jit provides security feedback before the code is merged.
- Language agnostic: Jit Secrets Detection can detect hardcoded secrets in any programming language.
User Experience
UX for Security Teams
Security Teams can view hardcoded secrets across the entire codebase — unified alongside all other product security issues.
Prioritizing the riskiest hardcoded secrets
- Go to the Jit "Backlog"; create a "Vulnerability Type" filter for "Secrets".
- In many environments, there can be thousands of hardcoded secrets. Rather than manually trying to determine which vulnerabilities introduce the most risk, Jit assigns each issue a Priority Score based on the issue's runtime context — making it easy to focus on the top risks.
- Learn more about Jit's contextual prioritization on the Context Engine page.
Investigating, triaging, and remediating hardcoded secrets
Open up a hardcoded secret in order to:
- See helpful information like its location, resources to learn about the issue, and its Knowledge Graph, which shows the runtime context of the issue.
- Create a ticket through Jira, Slack, Linear and other notification endpoints (see ticketing and triage information here). Or, you can open a fix PR to patch the security issue with an updated OSS version.
- Create a fix PR from within Jit to address the issue immediately.
UX for developers
Developers never need to leave their coding environment to identify and resolve hardcoded secrets in their code.
- When Secrets Detection is enabled for a given GitHub repository or GitLab project, it will automatically scan every code change and provide immediate code security feedback within the developer environment.
- The issue can be resolved without having to create a new Pull Request.
Orchestrate Gitleaks or Trufflehog
By default, Jit scans for secrets using Gitleaks. Alternatively, you can enable TruffleHog by appending the following snippet to the bottom of your jit-plan.yml located in your organization's centralized repository (typically that would be .jit repository).
override:
workflows:
secret-detection:
jobs:
secret-detection:
enabled: false
secret-detection-trufflehog:
enabled: true
In order to only scan for verified secrets, use this extended snippet:
override:
workflows:
secret-detection:
jobs:
secret-detection:
enabled: false
secret-detection-trufflehog:
enabled: true
steps:
- name: Run Trufflehog
uses: registry.jit.io/control-trufflehog-alpine:latest
with:
args: filesystem ${WORK_DIR:-.} --json --only-verified
env:
SECURITY_CONTROL_OUTPUT_FILE: /tmp/final-findings.json
Additional information
- By default, TruffleHog creates findings for all detected secrets and tags them with
VerifiedorUnverified. If you use the--only-verifiedflag, Trufflehog will not create findings for unverified secrets.- You can entirely disable secret verification in Trufflehog using the
--no-verificationflag.
Updated 5 months ago