See how Honeytoken works in this brief video.
#What are honeytokens?
GitGuardian Honeytoken allows you to create decoy credentials called “honeytokens” that do not allow any access to any actual customer resources or data. Instead, they act as tripwires that reveal information about the attacker (eg. IP Address, User Agent, Location, etc.).
Our honeytokens look just like any other secret to attackers. We designed our honeytokens to be triggered by all types of secret scanners, like open-source projects TruffleHog or Gitleaks, that are often put to wrong use by attackers. This means that if a hacker uses a secret scanner to search for developer secrets, they will trip on the honeytoken, triggering an alert that notifies the security team of a potential security incident.
#Why should you use honeytokens?
Honeytokens are a useful tool for the software development life cycle (SDLC) and software supply chain for several reasons:
- Early detection of security breaches: By planting honeytokens in your SDLC system and supply chain, you can detect security breaches early on before they cause any real damage. Honeytokens can act as an alarm system that signals the presence of an attacker or malicious activity.
- Strengthened supply chain security: Honeytokens can be used to quickly detect any breaches and identify if a vendor in the supply chain has been compromised. This helps you to strengthen your supply chain security and prevent further damage from occurring.
- Complete visibility of monitored codebase: Honeytokens provide you with a clear view of where they have been deployed, ensuring they were deployed as intended and identifying if they were mistakenly duplicated in several repositories.
- Easy deployment at scale: Honeytokens can be created, deployed, and managed on a large enterprise scale, allowing you to secure thousands of code repositories simultaneously. The integration of Honeytoken in the GitGuardian code security platform ensures that our secret scanning does not generate useless alerts for the deployed honeytokens.
- Detection of code leakage: By placing our honeytokens in code, you can detect if it has been leaked on public GitHub, saving time and resources by providing an easy and quick way to detect code leakage and prevent further data loss.
Read this blog post to learn more about the use cases of our honeytokens.
#Where should you place your honeytokens?
Your honeytokens can be deployed in a number of places (anywhere a real secret might also be found). Here are some examples:
- Source control systems (git repositories) - Committed in your repositories to detect a compromised codebase.
- CI/CD pipelines - Hidden in your CI/CD tools to detect compromised pipelines.
- Internal registries and package managers - Exposed in Docker images or other internal packages.
- Other tools used by developers - Planted in project management tools like Jira, internal wikis like Confluence, or messaging tools like Slack.
We recommend that each honeytoken be deployed in a unique place. If it appears in several places, then if it gets triggered, you would not be able to identify for sure which place is compromised.