Scan Code for Hard-Coded Secrets
Description
Hard-coded secrets can be exploited by attackers to gain unauthorized access to password-protected assets. Jit integrates the secret detection into CI/CD via a scanner that automatically runs a full scan of your repositories after activation. Scans are also initiated for every subsequent pull request.
| Stack layer | Security domain | Security tool initiated by this item |
|---|---|---|
| Application Security | Secret detection | Gitleaks, TruffleHog |
By default, Jit scans for secrets using Gitleaks. Alternatively, you can enable TruffleHog by appending the following snippet to the bottom of your jit-plan.yml located in your organization's centralized repository (typically that would be .jit repository).
override:
workflows:
secret-detection:
jobs:
secret-detection:
enabled: false
secret-detection-trufflehog:
enabled: true
In order to only scan for verified secrets, use this extended snippet:
override:
workflows:
secret-detection:
jobs:
secret-detection:
enabled: false
secret-detection-trufflehog:
enabled: true
steps:
- name: Run Trufflehog
uses: registry.jit.io/control-trufflehog-alpine:latest
with:
args: filesystem ${WORK_DIR:-.} --json --only-verified
env:
SECURITY_CONTROL_OUTPUT_FILE: /tmp/final-findings.json
Additional information
- By default, TruffleHog creates findings for all detected secrets and tags them with
VerifiedorUnverified. If you use the--only-verifiedflag, Trufflehog will not create findings for unverified secrets.- You can entirely disable secret verification in Trufflehog using the
--no-verificationflag.
Updated almost 2 years ago