A recurring problem when developing applications is that developers may unintentionally commit secrets and credentials to their remote repositories. If other people have access to the source, or if the project is public, this sensitive information is then exposed and can be leveraged by malicious users to gain access to resources like deployment environments. This has very real and tangible costs including: breached application data through credential leaks and compute costs for resources spun up and abused with your cloud resource API keys. GitLab's Security Trends analysis found that 18% of projects hosted on GitLab had identified leaked secrets with Secret Detection.
Secret Detection aims to prevent the unintentional leak of sensitive information including: passwords, authentication tokens, and private keys. It checks source files and configuration files to detect well-known and common patterns that look like secrets or credentials and reports findings that are potentially risky to share.
Secret detection doesn't target a specific language so it can easily be applied to any project. The most common approach to detect secrets is to look for regex patterns of common credentials like AWS tokens, API keys, and more.
Security tools like Secret Detection are best when integrated directly into the Devops Lifecycle and every project can benefit from secret scans, which is why we include it on-by-default in Auto DevOps.
Overall we want to help developers write better code and worry less about common security mistakes. Our goal is to provide Secret Detection as a part of the standard software development lifecycle (SDLC). This means that Secret Detection is executed every time a new commit is pushed to a branch.
Secret Detection results can be consumed in the merge request, where only new vulnerabilities, introduced by the new code, are shown.
The importance of these goals is validated by GitLab's 2020 DevSecOps Landscape Survey. With 3,650 respondents from 21 countries, the survey found:
User success metrics
The following measures would help us know how successful we are in achieving our goals:
The Secret Detection Category Maturity level is currently at Minimal. We plan to mature it to Viable by July 2020.
We are currently working on making Secrete Detection a standalone scan type. This move decouples Secret Detection from SAST which provides us more flexibility with how we handle secrets in the future. This sets us up to add support for adding custom secret detection rules and to experiment with suggested solutions to removing identified secrets.
With Secret Detection existing as its own scan type and being one simple security scanner, the Static Analysis team can use Secret Detection to explore and experiment with more complex changes that we would like to introduce to our other SAST scanners like custom rulesets, suggested solutions and more.
Why is this important?
Secret Detection is a simple but very powerful tool to help developers avoid costly mistakes. Secrets are leaked in source code daily. In fact, there are publically available tools to watch for leaked secrets like Shhgit. We want to enable as many projects as possible to avoid leaking secrets.
Differentiation
Gitlab uniquely has opportunities within the entire DevOps lifecycle. We can integrate across different DevSecOps stages leveraging data, insight, and functionality from other steps to enrich and automate based on Secret Detection findings. We even allow integration with partners and competitors to ensure flexibility. This allows teams to choose specific Secret Detection and Management solutions that fit their unique needs without GitLab being a constraint. This centers GitLab as the system of control and allows people to extend and integrate other solutions into the GitLab DevSecOps workflow.
There are a variety of vendors and open source projects offering Secret Detection soltuions:
GitLab has a unique position to deeply integrate into the development lifecycle, with the ability to leverage CI/CD pipelines to perform the security tests. There is no need to connect the remote source code repository, or to use a different interface.
We want to engage analysts to make them aware of the security features already available in GitLab. They also perform analysis of vendors in the space and have an eye on the future. We will blend analyst insights with what we hear from our customers, prospects, and the larger market as a whole to ensure we’re adapting as the landscape evolves.
While Secret Detection is not a standalone category of tools covered by analysts, it is mentioned in Gartner's Application Security Testing (AST) Critical Capabilities.
Full list of Secret Detection issues
Last Reviewed: 2020-05-03 Last Updated: 2020-05-03
