Detection of secrets in Git repos
I was looking at different tools to avoid committing secrets (password, API token, SSH private key, TLS private key, etc.) in Git repositories, to do shift-left security, and to avoid the pain of cleaning up already pushed commits.
Looking around, the candidates are:
Testing each candidate was done by creating a single Terraform file (.tf) that use 48 providers (AWS, Datadog, Azure AD, etc.), and putting fake API tokens, password, SSH private keys, TLS certificates and TLS keys directly in the file, as string (not from variables or lookups). I was only using the default rules that each candidate provide.
git-all-secrets only scan already committed repositories, so it was not a good candidate since we want something to detect secrets when someone try to commit locally. And the project code was not updated since 2018.
Shiftleft Scan have a good reporting format, both in JSON and HTML, but it didn't scan the multiline strings (mainly private keys) correctly, it was thinking that they were all different lines, like this:
Rule: Unknown Key
Line MIIJKQIBAAKCAgEAwY7gujdg4XqaUh2+LzFwRhY0exjCXkCDh3IMQpW/prHvItMy
So, a lot of false positives. The only thing it detected correctly was the AWS Access Key. Also, the documentation says that a VSCode extension is available, but it's not in the Marketplace anymore.
whispers only reported about the dummy TLS and SSH files outside the Terraform file, it didn't report anything from the Terraform file. The default config for the tool is really short. BUT, it was the only tool that reported the TLS certificates are a, minor, severity.
Recommended by LinkedIn
[WARNING] [ca-key.pem:0] file = ca-key.pem
[WARNING] [ca-cert.pem:0] file = ca-cert.pem
[WARNING] [bidon.pem:0] file = bidon.pem
[WARNING] [bidon.pem:0] private_key = -----BEGIN OPENSSH PRIVATE KEY-----
[
{
"key": "file",
"value": "ca-key.pem",
"file": "ca-key.pem",
"line": 0,
"rule_id": "file-known",
"message": "Known file",
"severity": "MINOR"
},
{
"key": "file",
"value": "ca-cert.pem",
"file": "ca-cert.pem",
"line": 0,
"rule_id": "file-known",
"message": "Known file",
"severity": "MINOR"
},
{
"key": "file",
"value": "bidon.pem",
"file": "bidon.pem",
"line": 0,
"rule_id": "file-known",
"message": "Known file",
"severity": "MINOR"
},
{
"key": "private_key",
"value": "-----BEGIN OPENSSH PRIVATE KEY-----",
"file": "bidon.pem",
"line": 0,
"rule_id": "privatekey",
"message": "Private key",
"severity": "CRITICAL"
}
]
git-secrets only found the AWS secret key that I added to 3 providers. Since the project was created by awslabs, it make sense that the default config just check for AWS specific secrets.
Let's talk about the two remaining candidates, who gave the best results.
Gitleaks found 30 secrets, which is pretty good. The default config defines a lot of regex to find specific secrets (mostly API keys). The private keys were also detected correctly, but not the TLS certificates (but it's a debate about if a certificate is a secret or not), a simple regex could be added for this.
Where Gitleaks failed is to find simple secrets, like http_auth = "user:pass" or password = "pass". The generic-key rule seems to be too specific, and doesn't detect correctly simple secrets like those.
detect-secrets did an even better job, it found 42 secrets. As with GitLeaks, it didn't report the certificates as secrets, but it did find the simple secrets. The only gotcha with detect-secrets is that you need to create plugins in Python if you wish to add rules.
In summary, GitLeaks and detect-secrets are the best tools to detect secrets with pre-commits. Gitleaks will omit some simple secrets, but it's easy to add new rules to the configuration. detect-secrets find more secrets, but adding rules is a bit more difficult.
But wait, since my test was with a Terraform file, what about Kics? Kics reported 51 high severities! Sadly, it didn't report the private keys as secrets, but almost everything else was reported. A mix of Kics + GitLeaks might be the best option to catch all secrets for Terraform (or anything else that Kics understand).