Finding an Effective Secrets Scanning Tool: Key Considerations

Finding secrets – such as login credentials, access tokens, and API keys – within source code, configuration files, and other resources is one thing. Finding them quickly, accurately, and comprehensively – and ensuring that secrets scanning supports, rather than hinders, the developer experience – can be quite another.

That’s because the effectiveness of secrets scanning tools varies widely. Some solutions generate false positives or (worse) miss risky hardcoded secrets. Some are also more adept than others at identifying secrets as early as possible in the software development lifecycle and helping developers fix secrets exposures.

This is why it’s important to look critically at exactly how a secrets scanner works before adopting it. This article unpacks tips on what to evaluate when looking for the best secrets scanning software.

What is a secret scanner?

A secret scanner is a tool that automatically detects hardcoded secrets, such as passwords and encryption keys. Alongside other types of security scanners (such as SAST tools, which scan applications for vulnerabilities, and SCA scanners, which identify risks within open source libraries), secrets scanners are a critical part of a modern cybersecurity tool set.

This is because secrets can easily find their way into codebases, configuration files, and other shared resources. If the secrets are hardcoded into files, they can be exposed to anyone who is able to view the files, most often in shared code repositories.

For instance, a developer might insert a database username and password into an application’s configuration file during the development process so that the application can quickly connect to an internal database for testing purposes. For example, if the developer forgets to remove the sensitive data from the file before the application ships, it could end up inside a software package that is shared with customers or other third parties, giving them the ability to connect to the database.

Secrets scanners detect risky instances of secrets so that developers can take measures to secure the sensitive credentials by, for example, using environment variables or secrets management tools to store login credentials instead of hardcoding secrets directly into files.

How do secrets scanners work?

Secrets scanners work by scanning files for strings that appear to represent secrets.

Secrets scanners’ methodology for determining what constitutes a secret can vary, but most use pattern-matching or machine learning techniques. This means that they can identify a wide range of secrets of varying types. These tools can also generate false positives, however, if the secret identification technique is too broad or not accurate enough (more on that below).

After finding a secret, most scanners will generate an alert notifying developers or application security teams so that they can remove the secret if appropriate.

What makes a secrets scanner effective?

All secrets scanners are capable of basic secrets detection. However, the following characteristics are what distinguish run-of-the-mill scanners from the best secrets detection tools – those that deliver the most precision and speed while enabling a seamless developer experience.

Reliable secrets detection

First and foremost is the ability to accurately and reliably detect secrets. While this may seem like a basic capability for all secrets scanners, the fact is that not all tools can reliably discover secrets that exist in an unusual form – like an API key that exceeds normal length, or a password that is encoded in an unexpected way.

The more developers trust their secrets scanner to identify all secrets, the more they can work with the confidence that they’re not leaking secrets from their development pipeline.

Minimum false positives

In the context of secrets scanning, false positives occur when a scanner flags something as being a secret when, in reality, it’s not. For instance, a tool might incorrectly assume that a Universally Unique Identifier (UUID) value that refers to a disk partition inside a configuration file is an API key, since both types of resources can be similar in form. In reality, UUIDs for disk partitions are not sensitive information in most cases.

When scanners generate false positives, they distract developers, who have to waste time chasing down alerts and figuring out whether real issues exist. That’s the opposite of what a good secrets scanner should do, which is accelerating the development process and making developers’ jobs easier.

Comprehensive scanning capabilities

The best secrets scanners can scan resources of all types. They are capable of checking for sensitive data not just inside source code files or repositories, but also in places such as logs and configuration files. Some can even scan binary files to detect secrets, where embedded secrets could potentially linger and be discoverable using tools like the Unix utility, strings.

The ability to scan all types of resources is important because secrets could be hiding anywhere. If a team’s security tools only check some locations, you’re at greater risk of exposed secrets.

Secrets validation

Advanced secrets scanning tools include validation functionality that automatically verifies whether discovered secrets are still valid, and thus potentially exploitable. This is an important advantage when it comes to prioritizing remediation efforts – because it is much more important to address exposed secrets that could be used in an attack than old secrets that are no longer functional. 

Pre-commit scanning

The earlier developers detect secrets during the software development lifecycle, the easier it typically is to remediate the risk – and the danger is minimized. Failure to discover a secret until it has  already been committed to a repository, or integrated into an application that has been built and deployed, increases the chances of the secret being exposed. It also requires developers to  go back, remove the secret, and redeploy the app – which wastes time. In contrast, when a team finds secrets as soon as they appear, they minimize risk and keep the development process moving smoothly.

Hence, the importance of pre-commit secrets scanning. This approach analyzes code for secrets before developers even commit it to a repository, allowing them to fix the issue immediately instead of waiting for a secrets scan to take place at a later time.

Remediation guidance

Finding a secret is only half the battle. To ensure a smooth developer experience, secrets scanners should also guide the remediation process by helping developers determine how best to remediate the risk.

Scanning tools can do this by providing a detailed report about the type of secret they’ve discovered, as well as suggesting an alternative method of storing the secret (such as using a secrets manager or passing it to the application as an environment variable instead of hardcoding it).

Enhancing the developer experience with secrets scanning

Deploying a secrets scanner is an initial step that all organizations should take to minimize their risk of exposing sensitive credentials.

But for businesses that prioritize developer experience, basic secrets scanning isn’t enough. They need tools that discover secrets effectively and reliably while avoiding false positives that disrupt developer workflows. The ability to detect secrets early in the development process, and to provide remediation guidance, makes advanced secrets scanners even more valuable. Also, determining which secrets are still valid and exploitable helps developers focus their efforts on remediating actual dangers.

Advanced Secrets Detection is offered as part of the cloud-native Checkmarx One application security platform. Check out this video to learn more about how Checkmarx enables accurate secrets detection while also enhancing the developer experience.