Defender for Cloud notifies organizations about exposed secrets in code repositories from GitHub and Azure DevOps. Secret detection helps you to quickly detect, prioritize, and remediate exposed secrets such as tokens, passwords, keys, or credentials stored in any file within the code repository.
If secrets are detected, Defender for Cloud can assist your security team to prioritize and take actionable remediation steps to minimize the risk of lateral movement by identifying the target resource that the secret can access.
How does code repository secret scanning work?
Secrets scanning for code repositories relies on GitHub Advanced Security for GitHub and Azure DevOps. GitHub Advanced Security scans the entire Git history on all branches present in your repository for secrets, even if the repository is archived.
To learn more, visit GitHub Advanced Security documentation for GitHub and Azure DevOps.
What’s supported?
Code repository secret scanning is available with the necessary GitHub Advanced Security license. Viewing the findings in Defender for Cloud is provided as part of Foundational Cloud Security Posture Management. To detect lateral movement possibilities to runtime resources, Defender Cloud Security Posture Management is required.
At this time, attack paths for exposed secrets are only available for Azure DevOps repositories.
How does code repository scanning mitigate risk?
Secrets scanning helps reduce risk with the following mitigations:
Preventing lateral movement: Discovery of exposed secrets within code repositories poses a significant risk of unauthorized access as threat actors can leverage these secrets to compromise critical resources.
Eliminating secrets that aren’t needed: By knowing that specific secrets do not have access to any resources in your tenant, you can safely work with developers to remove these secrets. Additionally, you will know when secrets are expired.
Strengthening secrets security: Getting recommendations to use secret management systems such as Azure Key Vault.
How do I identify and remediate secrets issues?
There are several ways to identify and remediate exposed secrets. However, not every method listed below is supported for every secret.
Review secrets recommendations: When secrets are found on assets, a recommendation is triggered for the relevant code repository on the Defender for Cloud Recommendations page.
Review secrets with cloud security explorer: Use cloud security explorer to query the cloud security graph for code repositories that contain secrets.
Review attack paths: Attack path analysis scans the cloud security graph to expose exploitable paths that attacks might use to breach your environment and reach high-impact assets.
Security recommendations
The following secrets security recommendations are available:
Attack path analysis is a graph-based algorithm that scans your cloud security graph to expose exploitable paths that attackers might use to reach high-impact assets. Potential attack paths include:
Azure DevOps repository contains an exposed secret with lateral movement to a SQL database.
Publicly accessible Azure DevOps repository contains an exposed secret with lateral movement to a Storage Account.
Cloud security explorer queries
To investigate exposed secrets and lateral movement possibilities, you can use the following queries:
It’s important to be able to prioritize secrets and identify which ones need immediate attention. To help you do this, Defender for Cloud provides:
Rich metadata for every secret, such as the file path, line number, column, commit hash, file URL, GitHub Advanced Security alert URL, and an indication to whether the target resource that the secrets provide access to exists.
Secrets metadata combined with cloud assets context. This helps you to start with assets that are exposed to the internet or contain secrets that might compromise other sensitive assets. Secrets scanning findings are incorporated into risk-based recommendation prioritization.