Skip to main content

Secret Scanning

In Harness Open Source, you can enable security features to protect your code and prevent secrets from being pushed to your Git repositories. This guide will show you how to prevent credentials from accidentally being committed to your repository.

How does it work?

You can utilize the built-in Gitleaks integration to prevent hardcoded secrets such as passwords, API keys, and tokens from being introduced into your Git repository during a push. This reduces the potential for leaking valuable IP or compromising security. By scanning every push, your secrets are never added to the repository history, thus reducing the chance of a leak and eliminating the need to rewrite Git history.

To enable secret scanning for individual repositories, simply activate it for the desired repository. Once enabled, any push event to that repository containing a commit matching a recognized secret pattern is denied.

Prevent AWS credentials from being committed

In this section, you'll learn how to prevent AWS credentials from being committed to your repository. Follow the quick start guide to start using Harness Open Source, then proceed to create or import a repository. Finally, refer to the secret scanning documentation to enable secret scanning for your repository.

Next, clone the repository to your local machine and open it in your favorite code editor. Then, create a new file named aws-creds.config with the following content:

AWS_ACCESS_KEY="AKIAIOSFODNN7EXAMPLE"
AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
note

These credentials, sourced from AWS Docs, are not valid.

Now try to push this commit to the remote repository. You should see the following error on the git log:

remote: Push contains secret:        
remote: 
remote: aws-access-token in config:1        
remote: Secret:  AKIAIOSFODNN7EXAMPLE        
remote: Commit:  1469e0435ac535dfd552ab443248493fc4fb1192        
remote: Details: Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.
remote: 
remote: 1 secret found in 1ms
note

According to the Gitleaks AWS rules for secrets, only one of the two secrets will be identified as a secret.