hey experienced #devsecops and #infosec people, what’s a good tool to scan got repos regularly for secrets and report on them? what about prevention? thinking a special hit hook pre commit but those can be bypassed. what tools are there for that regardless?
Discussion
Loading...
Post
@Toxic_Flange A nice DDoS tool to take down git or lax management that allows for the devs to play Factorio at work will prevent this!
@catsalad 😂 With Bitbucket cloud, we just let it do it to itself..
@Toxic_Flange No mistakey if always breaky!
This is a policy issue.
Ultimately, it isn't the dev's choice (and I say this as a former dev who went into security).
Appeal to their professionalism.
If they truly can't figure out a way to refactor code to remove hard coded creds from the source, you may need better developers.
Correct handling of secrets is hard, but doable. There are existing patterns for this.
Abstraction is your friend. Run time short session creds, vaults, AWS Secrets Manager, etc...
@risottobias Getting our large team of devs to all install the tools for prehooks is like herding cats. It would eventually get done, but could also potentially be bypassed as many devs believe its the only way to get their app to work (so many hard-coded secrets after I looked at all the repos..)