Prevent secret leaks: Find and secure secrets across your repositories and pipelines

Developers use secrets to enable their applications to securely communicate with other services. Hardcoding credentials (like usernames and passwords) simplifies development and saves time. Unfortunately, version control systems (VCS) like GitHub are not secure, which creates potential exposures that can be exploited. This often happens when developers accidently leave their secrets in the source code, and once they’re committed into a repo, the secret is saved in history and accessible to anyone who has access to the repo. If the repo is made public, threat actors can easily find and use the secrets in their attack path.

It’s not enough to detect common secrets at runtime. Effective secrets security requires detection across hundreds of possibilities (text keys, access tokens, API keys, certificates, passwords, database connection strings, etc.) embedded into existing developer workflows.

That’s why we’re excited to announce the expansion of our secrets security capabilities. Bridgecrew and Prisma Cloud now brings together multiple novel techniques that provide unrivaled visibility and control of secrets for cloud developers:

  • Precise detection of complex strings
  • Custom secrets policies
  • Native developer feedback
  • Risk factor context for faster remediation

Precise detection of complex strings

Not all secrets are consistent or follow commonly identifiable patterns (access tokens, API keys, encryption keys, OAuth tokens, certificates, etc.). While Bridgecrew has a library of over 100 signatures to detect and alert on the wide array of secrets with known, predictable expressions, random strings like usernames and passwords must also be identified.

Signature-based methods can’t detect random strings. For this reason, we augmented our comprehensive signature library with a fine-tuned entropy model that alerts on exposed passwords and other random identifiers. Furthemore, unlike traditional entropy techniques which generate false positives, the platform leverages the context around the string to precisely identify more complex secret types and significantly reduce false positives.

Bridgecrew leverages the context around the string to precisely identify more complex secret types and significantly reduce false positives.

Custom secrets policies

Enterprises may utilize a custom syntax or at least specific characteristics to consistently define secrets across the organization. For this reason, Bridgecrew’s secrets security allows users to easily define custom strings to alert on exposed or at risk secrets. This customization feature minimizes potential false positive alerts and streamlines detection.

Bridgecrew’s secrets security allows users to easily define custom strings to alert on exposed or at risk secrets.

Native developer feedback

Developers have numerous ways to understand the risks associated with secrets that are exposed or vulnerable:

  1. IDE, CI/CD, VCS
    Robust coverage across numerous development workflows deliver risk insights wherever developers build and compile their code.
  2. Projects
    Native integrations in dev workflows seamlessly surface detected secrets within a file that is non-compliant.
  3. Supply chain
    The Supply Chain Graph displays the source code file nodes. A detailed investigation into the dependency tree helps developers identify the root cause of secret exposure.
  4. Pull request comments
    Users can spot potentially leaked secrets as part of their pull request scans, which can be easily removed.
  5. Pre-Commit hooks and CI integrations
    Leverage the pre-commit hook to block secrets from being pushed to a repository before a pull request is opened.

Exposed secrets identified by Bridgecrew are surfaced in GitLab.

Risk factor context for prioritization and faster remediation

Alerts with context are the most actionable. For this reason, Bridgecrew uses three parameters when analyzing how vulnerable an at-risk secret is:

  1. The last Git user who modified the file that triggered the potential secret exposure and is responsible for fixing the issue, plus who will be impacted if you rotate the secret key.
  2. Timeline of error date(s) to better understand how long the risk has been exposed and prioritize accordingly.
  3. Whether the repository storing the file is private or public (can be accessed directly from the internet). Publicly exposed secrets are extremely consequential because they can be easily leveraged and exploited in minutes, whereas exposed secrets in a private repository are much less severe.

Users can easily investigate alert details using the in-product search to gain deeper information into specific error properties.

Bridgecrew’s secrets security can be natively integrated across the code, build, deploy, and runtime phases of the application lifecycle. With single-click activation that expands coverage across the supply chain and a powerful multidimensional approach that combines both a signature-based policy library and a fine-tuned entropy model, exposed and vulnerable secrets are swiftly identified in IaC templates, golden images, and Git repositories, as well as in running environments. With coverage for all file types, only Bridgecrew offers the depth and breadth required to effectively secure secrets.

To learn more about Prisma Cloud’s innovative approach to secrets security, join us for our upcoming Product Deep Dive webinar on January 17th.