Scan Code for Hard-Coded Secrets

Description

Hard-coded secrets can be exploited by attackers to gain unauthorized access to password-protected assets. Jit integrates the secret detection into CI/CD via a scanner that automatically runs a full scan of your repositories after activation. Scans are also initiated for every subsequent pull request.

Stack layerSecurity domainSecurity tool initiated by this item
Application SecuritySecret detectionGitleaks, TruffleHog

By default, Jit scans for secrets using Gitleaks. Alternatively, you can enable TruffleHog by appending the following snippet to the bottom of your jit-plan.yml located in your organization's centralized repository (typically that would be .jit repository).

override:
  workflows:
    secret-detection:
      jobs:
        secret-detection:
          enabled: false
        secret-detection-trufflehog:
          enabled: true

In order to only scan for verified secrets, use this extended snippet:

override:
  workflows:
    secret-detection:
      jobs:
        secret-detection:
          enabled: false
        secret-detection-trufflehog:
          enabled: true
          steps:
            - name: Run Trufflehog
              uses: registry.jit.io/control-trufflehog-alpine:latest
              with:
                args: filesystem ${WORK_DIR:-.} --json --only-verified
                env:
                  SECURITY_CONTROL_OUTPUT_FILE: /tmp/final-findings.json

📘

Additional information

  • By default, TruffleHog creates findings for all detected secrets and tags them with Verified or Unverified. If you use the --only-verified flag, Trufflehog will not create findings for unverified secrets.
  • You can entirely disable secret verification in Trufflehog using the --no-verification flag.