What are encrypted secrets?
Encrypted secrets are secrets which are not stored in clear-text: they are encrypted using a key stored in a secured area.
Those are safe to share publicly. As such, GitGuardian strives not to report encrypted secrets as leaks.
Heuristics we use
Since we don't want to report encrypted secrets as leaks, we have to identify which secrets are encrypted: at first glance, an encrypted secret might seem very similar to an unencrypted one. Here are different heuristics we use to identify encrypted secrets.
Note that a secret is often composed of several matches. GitGuardian considers the secret encrypted if at least one of the matches is encrypted.
Found by a generic detector
First, the secret must have been found by a generic detector. Patterns used by API-specific detectors are unlikely to mistakenly match an encrypted secret, because these patterns have constraints like starting with a given prefix, being of a precise length, or consisting of a specific set of characters.
Stored in a file generated by encrypting tools
Tools like SOPS can encrypt and decrypt secrets in JSON or YAML files. We skip files whose extensions match those used by such tools.
Match BCrypt or Crypt format
If the text before one of the matches contains one of the following common encryption indicators (this list is non-exhautive):
- "ENC[" or "ENC("
- "type: Opaque"
Then the match is considered encrypted.
Base64 encrypted data
If the match is a long Base64-encoded string and the first decoded bytes match: (1, 0), (2, 0), (1,1) or (10, 36, 0) then the match is considered to be Base64 encrypted data.