Why is this important?
All modern applications rely on certain secrets to run. These secrets may be database connection strings, API keys, or cryptographic keys. Keeping these secrets safe is critical to the security of the application.
If secrets are part of your source code, then the whole team has access to them. Worse, if the code is public, then everyone has access to them. Code can be public, if it's on a public Github repository, or bundled with your application, e.g. your Android app. This has led to many high-profile breaches.
Read below to find out how to fix this issue in your code.
Fixing Hard-coded Secrets
Option A: Use Environment Variables
Go through the issues that GuardRails identified in the PR.
If there are false positives, you can ignore lines or files.
Install BFG filter.
Remove the identified secrets from version control.
# Warning: This is a destructive action.
# To remove files containing sensitive data, run:
bfg --delete-files YOUR-FILE-WITH-SENSITIVE-DATA
# To replace all text listed in `passwords.txt` everywhere in your repository's history, run:
bfg --replace-text passwords.txt
# Warning, make sure that this is not a common word, that would replace other things.
Rotate/change the identified passwords, API keys, or cryptographic keys.
Replace the hard-coded secrets with an according environment variable placeholder. See below for references on how this can be done for common CI systems and usecases.
Test it and ensure that the app is still working as expected.
Ship it 🚢
- Leaking secrets on GitHub, What do do?
- An Introduction to Managing Secrets Safely with Version Control Systems
- Removing Sensitive Data from a Repository
- BFG Repo Cleaner
- TravisCI - Secure Env in Pull Requests
- CircleCI - Environment Variables
- Jenkins - Injecting Secrets
- 12 Factor App - Config
- Vault Guides
- How to securely store API-Keys
- The best way to store secrets in your app
- Safely store secrets with Blackbox
- Holistic Info-Sec for Web Developers - Storage of Secrets: risks, countermeasures