Table of content
While private repositories offer some level of protection for your code they still do not have adequate protection to store information as sensitive as secrets.
Imagine if there was a plain text file with all your credit card numbers within it, you hopefully wouldn’t put this into the company's git repository. Secrets are just as sensitive.
A few things to consider when storing secrets in private repositories:
While DevOps, Continuous Integration and Continuous Delivery speed up software development, they can also significantly increase security risks.
“DevOps is rapid and requires lots of small, iterative changes. But this increases complexity and opens up a new set of security problems. With DevOps, existing security vulnerabilities can be magnified and manifest themselves in new ways. The speed of software creation can mean new vulnerabilities are created unseen by developers. The solution is to build security monitoring into the DevOps process from the start.”
Greg Day, RSA Conference Organizer (source)
Security now needs to be part of the SDLC from the start, and part of every incremental change. This concept is called Shifting Left, a development principle which states that security should move from the right (or end) of the SDLC to the left (the beginning). A great deal of automation is needed in order to be able to cope with running security checks at each incremental change. Automation helps streamline the detection, alerting and remediation processes and workflows.
Secrets detection is often confused with SAST because both scan through static source code.
SAST is mostly testing control structure, input validation, error handling, etc. Such vulnerabilities like SQL injection vulnerabilities only express themselves the moment the code is deployed. Exposed secrets are unlike these vulnerabilities, because any secret reaching version control system must be considered compromised and requires immediate attention. This is true even if the code is never deployed.
Implementing secrets detection is not only about scanning the most actual version of your master branch before deployment. It is also about scanning through every single commit of your git history, covering every branch, even development or test ones.
To conclude, SAST is concerned only with the current version of a project, the version that is going to be deployed, whereas secrets detection is concerned with the entire history of the project.