CODE Secrets Scanning
Originally
ADR-0013-CODE-SECRETS-SCANNING (v6) · Source on Confluence ↗Code Secrets Scanning
Context and Problem Statement
In the current software development landscape, the security of codebases is paramount. One significant risk is the inadvertent inclusion of sensitive information, such as passwords, tokens, API keys, and other secrets. These secrets, if leaked, can lead to severe security breaches, compromising both the integrity and the reputation of the organization. Therefore, it is critical to implement a robust mechanism to scan and identify such vulnerabilities as proactively as possible.
The problem we are addressing is the need for an effective, reliable, and efficient tool that can integrate into our existing development workflow to scan for leaked secrets. This tool should not only detect various types of secrets but also do so with a high degree of accuracy to minimize false positives and negatives.
The decision on which tool to adopt is critical as it directly impacts our software development lifecycle, our approach to security, and our ability to safeguard against data breaches and compliance violations. This ADR aims to evaluate available options and select the most suitable tool for scanning for leaked secrets, thereby enhancing our overall security posture and maintaining the trust of our stakeholders.
Decision drivers
- Feature Completeness
- Platform Integration
- Cost
- Maintenance
- User Experience
- Opportunity Cost
Considered Options
Decision Outcome
Chosen Option: TruffleHog Open Source, because it fulfills a need to detect Secrets in code for DroneUp not currently licensed/available by other products in use for no additional capital expenditure and will likely create a fast path to visibility of secrets in GitHub with nearly as much implementation effort as the other considered options. The recommended outcome of this ADR is to move forward with a POC of TruffleHog. This decision was made with significant consideration for capital expense and if the option is “good enough”.
Consequences
- Good, because it costs no additional non-OpEx money.
- Good, because it is able to distinguish and alert on secrets depending on their ability to be verified.
- Good, because secret detection for verified secrets provides feedback to an engineer for how to rotate secrets.
- Good, because it detects secrets.
- Good, because it’s a two-way door decision. If we choose to revisit this decision and move forward with another solution, the cost expended would be effort only.
- Good, because hooks can be used to assist with preventing leaked secrets earlier in the development process.
- Bad, because the open source version cannot integrate with other technologies where secrets can be leaked, such as GAR/GCR, other Google products, and more.
- Bad, because the open source version lacks the built-in slack webhook which can minimize extending the exposure of a secret when reporting to an Engineer.
- Bad, because it doesn’t do true IaC scanning.
- Bad, because it doesn’t have an official, partnered CircleCI orb.
- Bad, because role-based access control cannot be implemented in the open source version.
- Bad, because the open source version doesn’t integrate with Okta.
- Bad, because the open source version doesn’t have a way to provide reporting or dashboarding at any level.
Pros and Cons of the Options
TruffleHog Enterprise
- Good, for all of the same reasons as the Chosen Option, TruffleHog Open Source.
- Good, because it can integrate with Okta.
- Good, because role-based access control can be implemented.
- Good, because it provides a single-pane-of-glass dashboard for visibility and reporting.
- Good, because integrations exist to minimize implementation effort.
- Good, because vendor support is included.
- Good, because a slack webook can be used to notify an engineer when they’ve leaked a secret directly.
- Bad, because it’s $25,000 USD annually for 0-100 developers.
- Bad, because it doesn’t have an official, partnered CircleCI orb.
- Bad, because it doesn’t do true IaC scanning.
- Bad, because there is some lock-in. If we determine that the effort is more costly than the result, some money may be lost.
GitGuardian
- Good, because it detects secrets.
- Good, because it claims to do true IaC scanning.
- Good, because it can integrate with Slack, Atlassian, GitHub.
- Good, because it can integrate with Okta.
- Good, because it provides a single-pane-of-glass dashboard for visibility and reporting.
- Good, because role-based access control can be implemented.
- Good, because integrations exist to minimize implementation effort.
- Good, because vendor support is included.
- Good, because it has an official, partnered CircleCI orb.
- Good, because hooks can be used to assist with preventing leaked secrets earlier in the development process.
- Bad, because it’s $18.33/contributor per month.
- Bad, because there is some lock-in. If we determine that the effort is more costly than the result, some money may be lost.
More Information
Links
- TruffleHog Website
- GitGuardian CircleCI Orb - Partnered
- [Confluence - Secret Scanning Capability Evaluation](confluence-title://PE/Secret Scanning Capability Evaluation)
- GitGuardian - Comparison by GitGuardian with TruffleHog
- GitGuardian - Security in IaC with Terraform
- GitGuardian - Demo Playlist
- TruffleHog Scanning in CI