Skip to main content

Rails Secret Key Base

Description#

General#

  • Documentation: https://guides.rubyonrails.org/security.html#custom-credentials

  • Summary: Ruby on Rails is a web framework written in Ruby. By default, Rails encrypts secrets before storing them in a credentials.yml.enc file. Alternatively, these secrets can be stored in a secrets.yml file. This detector focuses on catching the production secret_key_base in unencrypted files.

  • Scopes: Different secret_key_base are associated to different environment. This detector focuses on production keys.

Revoke the secret#

To generate a new secret_key_base, use rake secret command. See complementary documentation here.

Check for suspicious activity#

Details for Rails secret key base var#

  • Family: PrivateKey

  • Category: Private key

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 2.22

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - secret_key_base

Examples#

- text: |    production:      secret_key_base: "123458bb7ef6402f6a8bcf5d3be54321"  secret_key: 123458bb7ef6402f6a8bcf5d3be54321
- text: |    +production:    +  secret_key_base: "123458bb7ef6402f6a8bcf5d3be54321"  secret_key: 123458bb7ef6402f6a8bcf5d3be54321
- text: |    -staging:    -  secret_key_base: "123458bb7ef6402f6a8bcf5d3be54321"  secret_key: 123458bb7ef6402f6a8bcf5d3be54321