You can use Application Security to detect and block secrets in files in your IDEs, VCS repositories, and CI/CD pipelines.
A secret is a programmatic access key that provides systems with access to information, services or assets. Developers use secrets such as API keys, encryption keys, OAuth tokens, certificates, PEM files, passwords, and passphrases to enable their application to securely communicate with other cloud services.
For identifying secrets, Prisma Cloud provides default policies that use domain-specific and generic syntax to match on specific signatures and patterns to validate the likelihood or entropy of a string being a secret. You can view the scan results directly on Application Security > Projects, on the CLI if using Checkov, or in the IDE such as VSCode.
When scanning for secrets, Prisma Cloud can validate secrets against public APIs to verify if the secret is still active so that you can prioritize and handle exposed secrets quickly.
By default the validation of secrets is disabled and you can choose to enable the validation for secrets scan from Settings > Application Security Configuration > Validate Secrets.
Additionally, you can choose to run Checkov on your repositories to filter valid secrets that may be potentially exposed. To see a list of potentially exposed secrets you need to add an environment variable CKV_VALIDATE_SECRETS=true after enabling Validate Secrets.
In this example, you see a secret that is valid and requires to be prioritized in the repository after running Checkov on the terminal.
You can see the scan results of secrets after validation on Projects > Secrets and then use Resource Explorer to prioritize a valid secret by either a Suppress or by performing a Manual Fix on the secret.
Secrets deleted from a file can still be found in the git history of the repository and abused. Prisma Cloud can search through git history for those secrets and notify you even when the secret is no longer in the most recent commit.
By default git history scanning is disabled and you can choose to enable the validation for secrets scan from Settings > Application Security Configuration > Scan Git History for Secrets.
Results of secrets scanning will show up on the Projects.
|
Note
|
Git history scanning through the VCS integrations is only supported for repositories up to 4GB in size. |
Additionally, you can scan your git history without saving the results to the Prisma Cloud platform using Checkov locally by using the --scan-secrets-history flag. By default, there is not a timeout, but one can be set with --secrets-history-timeout TIME. Scans are performed in chunks and partial scans of chunks will not be saved.
By suppressing a notification for secrets you are choosing to no longer receive any information on a violation related to the suppressed secret. To suppress a notification you are required to define a suppression rule by adding a justification with an expiration time.
-
Select Application Security > Projects and then select Secrets view.
-
Configure a suppression rule for a secret.
-
Select a secret and then on the side panel select Issues and then select Suppress.
In this example,
Azure Storage Account Access Keys (Error)is the policy violation.
-
Add a Justification with the Expiration Time.
Optionally, you can choose a Manual Fix to resolve the secret violation.
-
-
Select Save.
