Secret scanning
Secret scanners are a set of tools designed to detect secrets exposed in source code.
Using secret scanning tools
ERP systems are often used to manage sensitive data and application integrations. So, it is critical to ensure that secrets are not exposed in X++ source code. You should have a clear remediation plan for when secrets enter your commit history.
Guidance
The table below outlines the findings about these secret scanning tools.
| Tool | Notes | Detected Secrets | GitHub/Azure DevOps Support |
|---|---|---|---|
| About secret scanning | About secret scanning alerts for users is a free service on all public GitHub repositories. The service automatically generates alerts when patterns in your code match secrets used by many service providers. Pushing a branch blocked by push protection, a GitHub repository-level feature, will prevent commits with secrets without remediation or a documented exception. In tests against the internal Hello World repository, Push Protection prevented a revoked PAT from entering the commit history. GitHub scanning alerts generated an alert when a revoked PAT existed within the commit history. GitHub's Push Protection is the only service-side scanning tool we tested which can prevent secrets from entering a repository's commit history. | PAT | GitHub |
| detect-secrets | This open-source tool has seen successfully used on multiple projects within Microsoft's ISE organization. | Basic credential, JSON web token | GitHub, Azure DevOps |
| TruffleHog | TruffleHog has a first-party GitHub action, which makes it easy to reference as part of a CI process. | None | GitHub, Azure DevOps |
| gitleaks | Gitleaks is free for personal repositories, and requires a paid license for organization repositories. | High-entropy string, secret hash, JSON web token | GitHub, Azure DevOps |
| Overview of Microsoft Defender for Cloud DevOps security | Microsoft Security DevOps (MSDO) is offered as a GitHub scanner and an Azure DevOps scanner. The default configuration of the GitHub scanner requires Configuring the default GITHUB_TOKEN permissions to upload Sarif files to the repository's Security tab. Furthermore, the repository must be a public repository or sufficiently licensed private repositoryAbout code scanning due to a dependency on GitHub's built-in code scanning feature. | None in GitHub. Basic credentials and PAT in Azure DevOps. | GitHub, Azure DevOps |