Rails Secret Key Base

Description

General

• Documentation: https://guides.rubyonrails.org/security.html#custom-credentials

• Summary: Ruby on Rails is a web framework written in Ruby. By default, Rails encrypts secrets before storing them in a credentials.yml.enc file. Alternatively, these secrets can be stored in a secrets.yml file. This detector focuses on catching the production secret_key_base in unencrypted files.

• Scopes: Different secret_key_base are associated to different environment. This detector focuses on production keys.

Revoke the secret

To generate a new secret_key_base, use rake secret command. See complementary documentation here.

Check for suspicious activity

Details for Rails secret key base var

• Family: PrivateKey

• Category: Private key

• High recall: False

• Validity check available: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 2.22

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - secret_key_base

Examples

- text: |
    production:
      secret_key_base: "169458cb0ef6432e6d6baf0d6bc44240"
  secret_key: 169458cb0ef6432e6d6baf0d6bc44240

- text: |
    +production:
    +  secret_key_base: "169458cb0ef6432e6d6baf0d6bc44240"
  secret_key: 169458cb0ef6432e6d6baf0d6bc44240

- text: |
    -staging:
    -  secret_key_base: "169458cb0ef6432e6d6baf0d6bc44240"
  secret_key: 169458cb0ef6432e6d6baf0d6bc44240