Blog

Git secret leaks

Secure secrets management in git from the offensive point of view. With examples and demo scripts.

schedule a call

$ git clone git@glab.local:cicd/environment.sh

git: threat model

external attacker
authenticated access to an application
RCE in a docker container
access to a single server
access to a developer’s workstation

hardcoded secrets

Not just String pass = "N0OneW1llG3tTh1s";:

secrets in automated tests and deployment configuration
secrets in sample front-end code
hard-coded signatures and HMAC keys
testing credentials that “bypass” security checks

`.git` directories

Access to the private Gitlab is not the only way attackers get git access.

exposure of a .git directory on
Git repositories used to pull configurations by build agents

`.git` directories: demo

commits, pulls and branches

leaked secrets may persist in commit history
do not only scan the main branch
do not remove secrets by just committing a new version

`trufflehog`

the standard for automated secret scanning (especially git)

`trufflehog` usage: demo

third-party services + git: real-world example

found on Confluence:

after git clone:

Secure secrets management in Docker containers. Part 1

Secure secrets management in Docker containers from the offensive point of view. With examples and demo scripts. Read more

Secure secrets management in Docker containers. Part 2

Secure secrets management in Docker containers from the offensive point of view. Secrets in memory. Secrets in build arguments Read more

Bash/zsh scripts. Part 3

Secure secrets management in Docker containers from the offensive point of view. Secrets in bash/zsh scripts. Secrets in logs. Read more