Git secret leaks

$ git clone git@glab.local:cicd/environment.sh

git: threat model

external attacker
authenticated access to an application
RCE in a docker container
access to a single server
access to a developer’s workstation

hardcoded secrets

Not just String pass = "N0OneW1llG3tTh1s";:

secrets in automated tests and deployment configuration
secrets in sample front-end code
hard-coded signatures and HMAC keys
testing credentials that “bypass” security checks

`.git` directories

Access to the private Gitlab is not the only way attackers get git access.

exposure of a .git directory on
Git repositories used to pull configurations by build agents

`.git` directories: demo

commits, pulls and branches

leaked secrets may persist in commit history
do not only scan the main branch
do not remove secrets by just committing a new version

`trufflehog`

the standard for automated secret scanning (especially git)

`trufflehog` usage: demo

third-party services + git: real-world example

found on Confluence:

after git clone:

Application Penetration Testing

Infrastructure Assessment

Cloud Infrastructure

Performance and scalability assessment

Cybersecurity assessment

Threat Intelligence

Red Teaming

Compliance Readiness Services

Purple Teaming

Training

Due Diligence

Insides

Case Studies

Contact Us

About Tenendo

Contact us:

git: threat model

hardcoded secrets

`.git` directories

`.git` directories: demo

commits, pulls and branches

`trufflehog`

`trufflehog` usage: demo

third-party services + git: real-world example

Tenendo Limited

Cloud Infrastructure

Performance and scalability assessment

Cybersecurity assessment

Insides

Contact Us

About Tenendo

Contact us:

git: threat model

hardcoded secrets

.git directories

.git directories: demo

commits, pulls and branches

trufflehog

trufflehog usage: demo

third-party services + git: real-world example

Tenendo Limited

`.git` directories

`.git` directories: demo

`trufflehog`

`trufflehog` usage: demo