Secrets scanning for infrastructure as code and cloud environments

Bridgecrew empowers teams to detect and remove exposed secrets such as passwords, API keys, and tokens from infrastructure-as-code (IaC), cloud workloads, and running cloud environments.

Secrets scanning across the development lifecycle

Detect secrets in build-time

Powered by Checkov, Bridgecrew scans for hardcoded secrets in code pre-commit, in your VCS, and in your CI pipeline.

Detect secrets in runtime

Identify exposed secrets in running workloads and cloud resources with built-in Bridgecrew runtime policies.

Multi-dimensional secrets scanning

Many tools scan disparately for only one type of secret but can create unwanted noise from false positives or miss secrets altogether.

Combining detectors to scan for keywords, regular expressions, and high entropy patterns can help detect and pare down thousands of possible secrets to actionable and real risks.

Challenges around secrets storage and access

Managing the important credentials, such as passwords, API keys, and tokens is a responsibility with little to no room for failure. To reduce incidents caused by secrets theft, focus on these three areas:

Hardcoded secrets

Developers sometimes hardcode credentials in code for ease of use and access, but doing so exposes them to anyone with access to the project. This is especially dangerous as agile development expands to include third-party developers and code exchanges on cloud-based repos.

Public exposure

Secrets can often wind up in areas open to the public, such as in a public repository in your VCS or registry. Additionally, any secret added directly into CI/CD configuration files may be visible in a VCS or can be revealed in any resulting logs from the build.

Key rotation & revocation

Secrets management tools automate the creation and storage of secrets. But another important aspect they cover is revocation and rotation, especially important in the case of a leak or compromise.

Get started with Bridgecrew for secrets scanning