Skip to content

repo with samples that should trigger violations in secrets detection tools

Notifications You must be signed in to change notification settings

tgayvert/saucerful-of-secrets

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

saucerful-of-secrets

repo with samples that should trigger violations in secrets detection tools

SSH Keys

SSH Key pairs, especially the private key, committed into source control can represent a real risk, especially if it is an SSH key that has been re-used, whether that be between roles/companies or automatically deployed to many systems.

Passphrases can help improve security on SSH keys, but it does not make committing private SSH keys into source control safe.

id_ed25519 - Private Key. Hopefully triggers. id_ed25519.pub - Public Key. Not necessarily secretive.

AWS IAM User Keys

AWS IAM User Keys should never be hard-coded into source code for a number of reasons. Hard-coding keys implies a number of design issues that go against best practice including. Ideally, if your app is running on AWS, you're using IAM roles and providing instance profiles or roles that are given directly to resources, rather than creating users.

.aws/credentials - Contains a generated AWS key that was deactivated before committed. The AKIA pattern in the key id should trigger a good detection tool that this is an aws IAM user, as should the pattern of the secret access key.

10/29/2021 - Added another key, which is already decommed to test alert triggering.

toml file with private information in it

testing a scenario where a toml file is used and private data is contained don't ask me who uses toml.

About

repo with samples that should trigger violations in secrets detection tools

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages