Secret sprawl best practices

What makes secret sprawl such a common problem?

We know that secrets are necessary to tie together different components of an application. Development and Operations teams need constant access to these secrets to build, connect, test and deploy applications. As a result, secrets represent a special type of information that needs to be both tightly-wrapped and widely-distributed.

It is no secret that enforcing good security practices at the organization level is hard. Developers today are faced with large turnover inside companies, and are often spread across many different teams and geographies. They must master a growing number of technologies and are under increasing pressure due to shortened release cycles. This makes secret management very complicated and an ever-changing challenge.

This is further complicated when VCS like git are introduced because secrets can be buried deep inside the history. The current version of source code might look clean, while the history might contain credentials that were added, removed, and then completely forgotten about. Valid secrets in the git history represent a real threat and any secret that reaches the VCS must be considered compromised.

What are some of the best practices to securely manage secrets like API keys?

Storing and managing secrets like API keys and other credentials can be challenging. Even the most careful policies can sometimes be circumvented in exchange for convenience. We have put together a helpful cheat sheet and article explaining the best practices for managing secrets.

As a minimum here are some points you should consider:

Never store unencrypted secrets in git repositories
Avoid git add * commands on git
Add sensitive files in .gitignore
Don’t rely on code reviews to discover secrets
Use automated secrets scanning on repositories
Don’t share your secrets unencrypted in messaging systems like Slack
Store secrets safely (method to be used depends on every use case)
Default to minimal permission scope for APIs
Whitelist IP addresses where appropriate
Use short-lived secrets

What is the state of secrets sprawl on GitHub?

At GitGuardian, we’ve been monitoring every single commit pushed to public GitHub since July 2017. Three and a half years later, we’ve uncovered millions of secrets and sent nearly 1 million pro bono alerts to developers in 2020 alone. The State of Secrets Sprawl report measures this exposure of secrets within public repositories on GitHub and how this serious threat is evolving year to year.

< Previous articleNext article >