Configure secret scanning

4 minute read

Configure secret scanning to identify accidentally committed secrets, API keys, passwords, and other sensitive information in your code repositories, container images, and cloud storage. Secret scanning analyzes various data sources using pattern matching and entropy analysis to detect credentials and sensitive data that could be exploited if exposed. Before you begin, ensure you have access to the repositories, containers, or storage systems you want to scan, and the necessary permissions to configure security scanning tools.

Choose your secret scanning approach

CloudBees Unify supports both implicit scanning through application security posture management (ASPM) and explicit workflow scanning for secret detection across different data sources.

To choose the right approach:

  1. Determine your scanning needs and data sources:

    • Choose implicit scanning for automatic secret detection in Git repositories as code is committed.

    • Choose explicit scanning for targeted secret analysis across repositories, container images, and cloud storage with specific configuration control.

  2. Identify your scanning scope and requirements:

    • Determine which data sources need secret scanning (repositories, containers, cloud storage).

    • Consider scanning frequency and timing based on development and deployment workflows.

    • Plan for handling discovered secrets through incident response and remediation processes.

Your choice affects which configuration steps to follow in the subsequent sections.

Configure implicit secret scanning

Implicit secret scanning integrates with ASPM to provide automatic detection of secrets in Git repositories as code is committed and updated.

You must have ASPM enabled for your organization and the Manage security tools permission to configure implicit secret scanning.

To configure implicit secret scanning:

  1. Navigate to Security  Marketplace in your organization.

  2. Filter the available tools by secret scanning category or search for secret scanner names.

  3. Select and activate your chosen secret scanner from the available implicit option:

    • Gitleaks: Fast, comprehensive secret detection in Git repositories with support for custom patterns and rules.

      The system activates Gitleaks for automatic analysis of Git repositories across your organization.

  4. Configure scanner-specific settings if required:

    • Access individual scanner configuration through the Marketplace interface.

    • Set custom detection patterns and exclusion rules for your specific environments.

    • Configure sensitivity thresholds and reporting preferences to reduce false positives.

      Implicit secret scanning automatically triggers when code is committed to repositories linked to CloudBees Unify components.

Once configured, implicit scanning provides continuous secret monitoring across all linked repositories without requiring workflow modifications.

Configure explicit workflow secret scanning

Explicit workflow secret scanning provides granular control over secret detection across repositories, container images, and cloud storage systems.

To configure explicit workflow secret scanning:

  1. Add secret scanning actions to your workflow YAML file in appropriate job steps. Available explicit secret scanners include:

    • Gitleaks: Fast, comprehensive secret detection in Git repositories (also available as implicit scanner).

    • TruffleHog Code: Advanced secret detection in source code with entropy analysis and custom pattern matching.

    • TruffleHog Container: Secret detection in container images, including environment variables and embedded credentials.

    • TruffleHog S3: Secret detection in Amazon S3 buckets, files, and metadata.

  2. Configure scanner authentication and data source access:

    • Create the required secrets in your CloudBees Unify organization or component settings for scanner API access.

    • Set up access credentials for target data sources, such as container registries or AWS accounts.

    • Configure data source locations with specific paths, bucket names, or image references.

      Common authentication patterns include:

      • Scanner API access: Some scanners require API tokens for advanced features and reporting.

      • Data source credentials: Container registries and cloud storage require separate authentication.

      • Access scope configuration: Define specific repositories, images, or storage locations to scan.

  3. Customize scan parameters for your data sources:

    • Define scanning scope and exclusion patterns to avoid false positives in test data or documentation.

    • Configure detection sensitivity and entropy thresholds appropriate for your security requirements.

    • Set up custom pattern matching rules for organization-specific secret formats and credential types.

      Example secret scanning configuration:

      - name: Scan with TruffleHog Code uses: https://github.com/cloudbees-io/trufflehog-secret-scan-code@v1 with: base-ref: "main" max-depth: "100" exclude-paths: "*.log,*.tmp"
Secret scanning can generate false positives from test data, documentation, and example code. Configure exclusion patterns carefully to focus on actual credential exposure risks.

Manage scanning scope and data source coverage

Secret scanning effectiveness depends on comprehensive coverage of potential secret exposure points across your development and deployment infrastructure.

To optimize secret scanning coverage:

  1. Configure scanning across all relevant data sources:

    • Scan source code repositories for committed secrets and hardcoded credentials.

    • Analyze container images for embedded secrets, environment variables, and configuration files.

    • Monitor cloud storage for accidentally uploaded credentials and sensitive configuration data.

  2. Establish appropriate scanning frequency and timing:

    • Schedule repository scanning after code commits to catch secrets early in the development process.

    • Scan container images during build processes before deployment to production environments.

    • Perform periodic scans of cloud storage to detect secrets in uploaded files and backup data.

  3. Handle scan results and incident response:

    • Define escalation procedures for discovered secrets based on sensitivity and exposure risk.

    • Establish secret rotation workflows for credentials that may have been exposed.

    • Implement monitoring for secret usage patterns to detect potential compromise or misuse.

Review and manage secret findings

Secret scanning findings require immediate attention and specialized incident response procedures to minimize security risks from credential exposure.

To review secret findings:

  1. Access scan results through the CloudBees Unify Security Center:

    • Navigate to Security  Security Center in your organization.

    • Filter findings by scanner type and secret-specific categories for focused review.

  2. Understand secret-specific finding types and prioritization:

    • High-confidence secrets with clear credential patterns (API keys, passwords, tokens).

    • Potential secrets identified through entropy analysis that require manual verification.

    • Organization-specific credential formats detected through custom pattern matching rules.

    • Historical secret exposure in Git commit history that may require repository cleanup.

  3. Coordinate immediate response and remediation actions:

    • Verify whether identified secrets are legitimate credentials or false positives from test data.

    • Rotate or revoke exposed credentials immediately to prevent unauthorized access.

    • Update code and configuration to use secure credential management practices.

    • Monitor affected systems for signs of compromise or unauthorized access attempts.

    • Track remediation progress and implement preventive measures to avoid future secret exposure.

For detailed guidance on findings management, refer to Triage security findings.