Encrypted Secrets
#
What are encrypted secrets?Encrypted secrets are secrets which are not stored in clear-text: they are encrypted using a key stored in a secure area. This means that they are safe to share publicly. As such, GitGuardian does not report encrypted secrets as leaks.
#
Heuristics we useSince we don't want to report encrypted secrets as leaks, we have to identify which secrets are encrypted: at first glance, an encrypted secret might seem very similar to an unencrypted one. Here are different heuristics we use to identify encrypted secrets.
Note that a secret is often composed of several matches. GitGuardian considers the secret encrypted if at least one of the matches is encrypted.
#
Found by a generic detectorFirst, the secret must have been found by a generic detector. Patterns used by API-specific detectors are unlikely to mistakenly match an encrypted secret, because these patterns have constraints like starting with a given prefix, being of a precise length, or consisting of a specific set of characters.
#
Stored in a file generated by encrypting toolsTools like SOPS can encrypt and decrypt secrets in JSON or YAML files. We skip files whose extensions match those used by such tools.
#
Match BCrypt formatIf one of the secret matches follows the format of a BCrypt hash string, it is considered encrypted.
#
Context hintsIf the text before one of the matches contains some common encryption indicators such as ENC[
, SealedSecret
, encryptedData
and a few others, the match is considered encrypted.
#
Base64 encrypted dataIf the match is a long Base64-encoded string and the first two decoded bytes are either (1, 0) or (2, 0), then the match is considered to be Base64 encrypted data.