Gartner®: Application Security Guide for Software Engineering Leaders

Bitbucket scanning tool to detect secrets in your source code

GitGuardian Internal Repository Monitoring helps prevent secret sprawl

Available in Saas

Available on Prem

Scanning Bitbucket for secrets

BitBucket Server, formerly known as Stash, is an Atlassian distributed Version Control System that can be deployed on-premise and can be offered for free to open source projects. Favored by many DevOps teams, BitBucket Server provides integrations with the rest of Atlassian products.

However, running security audits at the end of the software development life cycle is a huge amount of work for security teams.

Modern organizations, therefore, decide to shift left so that development, operations, and security teams can scan and test their code in Bitbucket at each step of the development process, reducing the vulnerability surface.

Sensitive data has to be available for developers. How can you make sure it is not in their code?

Modern applications communicate using secrets: API keys and other credentials thus give access to multiple systems of the company. These secrets are even more sensitive than credit card numbers for your organization. You wouldn’t let unauthorized actors find them.

Secrets are everywhere and can spread rapidly

The term “secret sprawl” was coined to designate this problem. Choosing the path of least resistance, it is tempting to hardcode secrets in the source code, and share them via slack or email.

But this means malicious actors can move from one system to another and potentially squat the system. Secrets are sensitive, yet easy to share by mistake.

Developers are confronted to a faster Software Development Life Cycle

Human error can happen. But when teams are under pressure, it is all the more likely. With more to be done and less time to do it, developers can leak secrets by mistake. Running an analysis that scans the source code for security vulnerabilities can identify these mistakes.