Rails Secret Key Base

Description#

General#

Documentation: https://guides.rubyonrails.org/security.html#custom-credentials
Summary: Ruby on Rails is a web framework written in Ruby. By default, Rails encrypts secrets before storing them in a credentials.yml.enc file. Alternatively, these secrets can be stored in a secrets.yml file. This detector focuses on catching the production secret_key_base in unencrypted files.
Scopes: Different secret_key_base are associated to different environment. This detector focuses on production keys.

Revoke the secret#

To generate a new secret_key_base, use rake secret command. See complementary documentation here.

Check for suspicious activity#

Details for `Rails secret key base var`#

Family: PrivateKey
Category: Private key
High recall: False
Validity check available: False
Minimum number of matches: 1
Occurrences found for one million commits: 2.22
Prefixed: False
PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - secret_key_base

Examples#

- text: |    production:      secret_key_base: "123458bb7ef6402f6a8bcf5d3be54321"  secret_key: 123458bb7ef6402f6a8bcf5d3be54321
- text: |    +production:    +  secret_key_base: "123458bb7ef6402f6a8bcf5d3be54321"  secret_key: 123458bb7ef6402f6a8bcf5d3be54321
- text: |    -staging:    -  secret_key_base: "123458bb7ef6402f6a8bcf5d3be54321"  secret_key: 123458bb7ef6402f6a8bcf5d3be54321

Description#

General#

Revoke the secret#

Check for suspicious activity#

Details for Rails secret key base var#

Examples#

Details for `Rails secret key base var`#