Encrypted secrets are secrets which are not stored in clear-text: they are encrypted using a key stored in a secure area. This means that they are safe to share publicly. As such, GitGuardian does not report encrypted secrets as leaks.
Since we don't want to report encrypted secrets as leaks, we have to identify which secrets are encrypted: at first glance, an encrypted secret might seem very similar to an unencrypted one. Here are different heuristics we use to identify encrypted secrets.
Note that a secret is often composed of several matches. GitGuardian considers the secret encrypted if at least one of the matches is encrypted.
First, the secret must have been found by a generic detector. Patterns used by API-specific detectors are unlikely to mistakenly match an encrypted secret, because these patterns have constraints like starting with a given prefix, being of a precise length, or consisting of a specific set of characters.
Tools like SOPS can encrypt and decrypt secrets in JSON or YAML files. We skip files whose extensions match those used by such tools.
If one of the secret matches follows the format of a BCrypt hash string, it is considered encrypted.
If the text before one of the matches contains some common encryption indicators such as
encryptedData and a few others, the match is considered encrypted.
If the match is a long Base64-encoded string and the first two decoded bytes are either (1, 0) or (2, 0), then the match is considered to be Base64 encrypted data.