Skip to main content

Encrypted Secrets

What are encrypted secrets?#

Encrypted secrets are secrets which are not stored in clear-text: they are encrypted using a key stored in a secure area. This means that they are safe to share publicly. As such, GitGuardian does not report encrypted secrets as leaks.

Heuristics we use#

Since we don't want to report encrypted secrets as leaks, we have to identify which secrets are encrypted: at first glance, an encrypted secret might seem very similar to an unencrypted one. Here are different heuristics we use to identify encrypted secrets.

Note that a secret is often composed of several matches. GitGuardian considers the secret encrypted if at least one of the matches is encrypted.

Found by a generic detector#

First, the secret must have been found by a generic detector. Patterns used by API-specific detectors are unlikely to mistakenly match an encrypted secret, because these patterns have constraints like starting with a given prefix, being of a precise length, or consisting of a specific set of characters.

Stored in a file generated by encrypting tools#

Tools like SOPS can encrypt and decrypt secrets in JSON or YAML files. We skip files whose extensions match those used by such tools.

Match BCrypt format#

If one of the secret matches follows the format of a BCrypt hash string, it is considered encrypted.

Context hints#

If the text before one of the matches contains some common encryption indicators such as ENC[, SealedSecret, encryptedData and a few others, the match is considered encrypted.

Base64 encrypted data#

If the match is a long Base64-encoded string and the first two decoded bytes are either (1, 0) or (2, 0), then the match is considered to be Base64 encrypted data.