Skip to main content

Encrypted Secrets

What are encrypted secrets?

Encrypted secrets are secrets which are not stored in clear-text: they are encrypted using a key stored in a secured area.
Those are safe to share publicly. As such, GitGuardian strives not to report encrypted secrets as leaks.

Heuristics we use

Since we don't want to report encrypted secrets as leaks, we have to identify which secrets are encrypted: at first glance, an encrypted secret might seem very similar to an unencrypted one. Here are different heuristics we use to identify encrypted secrets.

Note that a secret is often composed of several matches. GitGuardian considers the secret encrypted if at least one of the matches is encrypted.

Found by a generic detector

First, the secret must have been found by a generic detector. Patterns used by API-specific detectors are unlikely to mistakenly match an encrypted secret, because these patterns have constraints like starting with a given prefix, being of a precise length, or consisting of a specific set of characters.

Stored in a file generated by encrypting tools

Tools like SOPS can encrypt and decrypt secrets in JSON or YAML files. We skip files whose extensions match those used by such tools.

Match BCrypt or Crypt format

If one of the secret matches follows the format of a BCrypt hash string or a Crypt hash string it is considered encrypted.

Context hints

If the text before one of the matches contains one of the following common encryption indicators (this list is non-exhautive):

  • "ENC[" or "ENC("
  • "SealedSecret"
  • "encrypteddata"
  • "encryptedpassword"
  • "encryptedsecrets"
  • "encvalues"
  • "secure"
  • "type: Opaque"

Then the match is considered encrypted.

Base64 encrypted data

If the match is a long Base64-encoded string and the first decoded bytes match: (1, 0), (2, 0), (1,1) or (10, 36, 0) then the match is considered to be Base64 encrypted data.