In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response.
Secrets detection is the process of identifying and managing sensitive information like API keys, passwords, and tokens within codebases to prevent unauthorized access and data breaches.
Secrets detection is the process of identifying and managing sensitive information like API keys, passwords, and tokens within codebases to prevent unauthorized access and data breaches.
Every time a developer pushes code to GitHub or GitLab, there's a lurking danger: hard-coded secrets. Whether it's an API key, a password, or an access token, these hidden vulnerabilities can slip into repositories, leaving you exposed. It's not just in the code; secrets can hide in configuration files or even within cloud environments like AWS, Azure, or GCP. One accidental commit, and you're handing over the keys to your kingdom.
As developers, we're dealing with sensitive information every day, and with cloud-native apps running the show, the margin for error has shrunk. The question isn't whether secrets will end up in your codebase but how quickly you'll detect them before they're exploited.
In this article, we'll walk you through the most common types of secrets that can slip through the cracks, the risks you're taking by ignoring them, and how the right detection tools can save you from a catastrophic breach. We'll also show you how to weave secrets detection into every workflow phase—from initial development to deployment—so you can focus on building software without leaving your security to chance.
We often deal with a variety of secrets in our day-to-day development work. Here's a breakdown of the most common types, which can be used as a checklist for scanning:
API keys: To access third-party services, you need API keys. If exposed, they could allow unauthorized users to interact with external services, potentially leading to privilege escalation or data loss.
Database credentials: The backbone of any secure system, database credentials can lead to data theft or even system-wide breaches if compromised.
Encryption keys: If encryption keys are exposed, the privacy and integrity of encrypted data could be compromised, allowing attackers to decrypt and steal data.
Access tokens: Because these are used to authenticate users and services, exposed tokens may enable attackers to pose as valid users, granting them unauthorized access.
Passwords: Hard-coded passwords in code or config files are common but disastrous, exposing entire systems to external threats. Remember: Even automated system passwords must be secured.
Exposing secrets in our codebases can lead to severe repercussions, ranging from data breaches to financial losses and reputational damage. The cost of incident response, combined with potential legal penalties, can devastate an organization. In addition to the direct financial consequences, leaked credentials can undermine customer trust and damage long-term brand loyalty.
Some notable incidents highlight the consequences of exposing secrets:
Uber data breach (2016): Uber suffered a breach when attackers accessed one of its private repositories on GitHub, ultimately finding AWS credentials that allowed them to steal data on 57 million riders and drivers. The company faced significant fines due to their failure to disclose the breach promptly and for paying a ransom to conceal it.
Toyota GitHub leak (2022): Toyota accidentally exposed a secret key publicly on GitHub for five years, which could have allowed unauthorized access to critical services like remote engine starting. This incident is a cautionary tale of how long-term exposure can go unnoticed, leading to significant vulnerabilities.
The process of secrets scanning typically begins with an initial scan of codebases. This scan identifies existing hard-coded secrets and other sensitive information. After the initial scan, continuous scanning (especially within CI/CD pipelines) is critical for catching new secrets before they make it to production.
Secrets detection tools leverage a combination of pattern matching, regular expressions, and machine learning to detect potential secrets within codebases. Pattern matching allows these tools to identify common secrets formats like API keys or access tokens based on predefined patterns. However, advanced tools also employ machine learning to catch potential secrets that don't conform to standard patterns—offering greater accuracy in detecting secrets leaks with minimum false positives.
Alerting and reporting are crucial components of any detection tool. Real-time alerts help you respond to potential issues as they arise, providing actionable insights for remediation. Without practical steps for mitigation, secrets detection becomes just another noisy tool.
Integrating secrets detection into a broader security strategy
Now that we've covered the essentials of secrets detection, let's explore how you can incorporate these practices into a comprehensive security strategy, ensuring that your code, configurations, and cloud services stay secure at every stage of development and deployment.
Development phase: Source code repositories
During development, secrets are often hardcoded into the project’s Git repository. Tools like pre-commit hooks can scan repositories like GitHub or GitLab, identifying secrets in code before they make it into version control. By integrating scanning at this stage, you can prevent both public and private repositories from becoming a source of vulnerabilities.
Deployment phase
In the deployment phase, leaving sensitive information in configuration files is a common threat vector. That’s why secrets detection tools should be configured to scan both files and environment variables to ensure no secrets are exposed during this stage.
CI/CD pipelines are another critical area where secrets are often leaked. Best practices like using secrets management tools and securely handling environment variables can prevent leaks during automated builds and deployments.
Post-deployment: Cloud environments
Once deployed, secrets must be carefully managed within cloud environments (AWS, Azure, GCP, etc.). Scanning tools should continuously monitor cloud infrastructure, detecting exposed secrets and ensuring proper access control. Tools like Wiz excel at securing secrets across cloud environments. For example, the Wiz platform can detect misconfigurations in cloud infrastructure and prevent secrets from being exposed before they lead to security incidents.
A holistic approach to security
Secrets detection is a critical piece of a larger security puzzle. By integrating secrets detection tools into a broader security strategy, we can reduce the risk of lateral movement within compromised systems. Combining secrets detection with other security tools like cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM) ensures that secrets are protected throughout the entire development lifecycle.
Top secrets detection tools
In this section, we'll explore the top tools available for secrets detection, highlighting their key features and how they fit into different development workflows so you can choose the best solution for your project's security needs.
Wiz
Wiz is an all-in-one cloud security platform designed to protect not just secrets but also to detect misconfigurations and potential vulnerabilities within cloud environments.
Wiz’s secrets detection capabilities span the entire software development lifecycle, ensuring that sensitive information, like API keys, passwords, and tokens, is not exposed at any stage — from the initial code commit to the cloud deployment.
By leveraging Wiz Code and Wiz Cloud, Wiz ensures comprehensive protection of secrets across your entire environment. It offers deep integration across cloud infrastructures, making it ideal for enterprises looking for an end-to-end security solution.
Key features
Code Scanning: Wiz Code scans source code repositories and CI/CD pipelines to detect hardcoded secrets, such as API keys, passwords, and access tokens, before they reach production environments.
Cloud Environment Scanning: The platform also scans cloud resources, including virtual machines, containers, and serverless functions, to identify secrets that may have been inadvertently deployed.
Data Storage Scanning: Wiz extends its secret detection capabilities to various data storage locations, including cloud storage buckets and databases.
Security Graph Integration: Detected secrets are incorporated into Wiz's Security Graph, allowing for context-aware risk assessment and attack path analysis.
Code-to-Cloud Mapping: Wiz correlates secrets found in code with those detected in cloud environments, providing a complete picture of secret exposure throughout the development lifecycle.
GitGuardian
GitGuardian specializes in detecting secrets within code repositories, both public and private. Its core focus is helping developers and enterprises prevent secrets from leaking into places like GitHub, where they could be exploited by attackers.
Key features
Automatic scanning of public and private repositories
Detailed reporting and alerting mechanisms
Integration with CI/CD pipelines and developer tools
Enterprise-grade management dashboards for team-based collaboration
Spectral
Spectral is an AI-powered secrets detection tool that integrates directly into DevOps pipelines. Its primary focus is developer-first security, ensuring that secrets are caught before they are committed to the codebase.
Key features
AI-powered detection for enhanced pattern recognition
Seamless integration with CI/CD pipelines
Fast scans with low overhead, designed for developer productivity
Comprehensive support for multiple programming languages and environments
Gitleaks
Gitleaks is an open-source tool designed to scan Git repositories for hard-coded secrets. It's lightweight, simple to use, and ideal for smaller teams or individual developers looking for a basic but effective detection tool.
Key features
Scans local and remote Git repositories for secrets
Configurable with custom rules for detecting custom secrets
Easy setup and minimal system requirements
Support for scanning private repositories
Conclusion
In today's cloud-native world, protecting secrets is no longer optional—it's a critical element of modern cybersecurity. From API keys to access tokens, secrets detection should be a part of every developer's workflow. It’s essential to integrate secrets detection tools into a broader security strategy, ensuring they work hand-in-hand with other security measures like CSPM and CIEM.
If you're looking for a comprehensive solution that prioritizes your secrets detection needs, Wiz offers an advanced platform that integrates seamlessly into your existing infrastructure. Explore a demo of Wiz today and see how easy it is to protect your sensitive information and secure your cloud environments!
Fix and Find Exposed Secrets
Learn why CISOs at the fastest growing companies rely on Wiz to prevent risks from reaching production.
A data risk assessment is a full evaluation of the risks that an organization’s data poses. The process involves identifying, classifying, and triaging threats, vulnerabilities, and risks associated with all your data.
In this guide, we’ll break down why AI governance has become so crucial for organizations, highlight the key principles and regulations shaping this space, and provide actionable steps for building your own governance framework.
This article outlines guidelines and best practices for weaving security into every part of your development and DevOps workflows, focusing on practical techniques that are easy to adopt.
In this post, we’ll bring you up to speed on why the EU put this law in place, what it involves, and what you need to know as an AI developer or vendor, including best practices to simplify compliance.
Application security refers to the practice of identifying, mitigating, and protecting applications from vulnerabilities and threats throughout their lifecycle, including design, development, deployment, and maintenance.