Credential scanning is the practice of automatically inspecting a project to ensure that no secrets are included in the project's source code. Secrets include database passwords, storage connection strings, admin logins, service principals, etc.
Including secrets in a project's source code is a significant risk, as it might make those secrets available to unwanted parties. Even if it seems that the source code is accessible to the same people who are privy to the secrets, this situation is likely to change as the project grows. Spreading secrets in different places makes them harder to manage, access control, and revoke efficiently. Secrets that are committed to source control are also harder to discard of, since they will persist in the source's history.
Another consideration is that coupling the project's code to its infrastructure and deployment specifics is limiting and considered a bad practice. From a software design perspective, the code should be independent of the runtime configuration that will be used to run it, and that runtime configuration includes secrets.
As such, there should be a clear boundary between code and secrets: secrets should be managed outside of the source code (read more here) and credential scanning should be employed to ensure that this boundary is never violated.
Ideally, credential scanning should be run as part of a developer's workflow (e.g. via a git pre-commit hook), however, to protect against developer error, credential scanning must also be enforced as part of the continuous integration process to ensure that no credentials ever get merged to a project's main branch. To implement credential scanning for a project, consider the following:
- Store secrets in an external secure store that is meant to store sensitive information
- Use secrets scanning tools to asses your repositories current state by scanning it's full history for secrets
- Incorporate an automated secrets scanning tool into your CI pipeline to detect unintentional committing of secrets
- Avoid
git add .
commands on git - Add sensitive files to .gitignore
Recipes and Scenarios -
- detect-secrets is an aptly named module for detecting secrets within a code base.
- Use detect-secrets inside Azure DevOps Pipeline
- Microsoft Security Code Analysis extension
Additional Tools -
- CodeQL – GitHub security. CodeQL lets you query code as if it was data. Write a query to find all variants of a vulnerability
- Git-secrets - Prevents you from committing passwords and other sensitive information to a git repository.
Secret management is essential to every project. Storing secrets in external secrets store and incorporating this mindset into your workflow will improve your security posture and will result in cleaner code.