Secrets scanning for infrastructure as code and cloud environments
Bridgecrew empowers teams to detect and remove exposed secrets such as passwords, API keys, and tokens from infrastructure-as-code (IaC), cloud workloads, and running cloud environments.
Secrets scanning across the development lifecycle
Detect secrets in build-time
Powered by Checkov, Bridgecrew scans for hardcoded secrets in code pre-commit, in your VCS, and in your CI pipeline.
Detect secrets in runtime
Identify exposed secrets in running workloads and cloud resources with built-in Bridgecrew runtime policies.
Multi-dimensional secrets scanning
Many tools scan disparately for only one type of secret but can create unwanted noise from false positives or miss secrets altogether.
Combining detectors to scan for keywords, regular expressions, and high entropy patterns can help detect and pare down thousands of possible secrets to actionable and real risks.
Challenges around secrets storage and access
Managing the important credentials, such as passwords, API keys, and tokens is a responsibility with little to no room for failure. To reduce incidents caused by secrets theft, focus on these three areas:
Developers sometimes hardcode credentials in code for ease of use and access, but doing so exposes them to anyone with access to the project. This is especially dangerous as agile development expands to include third-party developers and code exchanges on cloud-based repos.
Secrets can often wind up in areas open to the public, such as in a public repository in your VCS or registry. Additionally, any secret added directly into CI/CD configuration files may be visible in a VCS or can be revealed in any resulting logs from the build.
Key rotation & revocation
Secrets management tools automate the creation and storage of secrets. But another important aspect they cover is revocation and rotation, especially important in the case of a leak or compromise.