Detect secrets in CI pipelines

Overview

For vulnerabilities that are only exploitable during runtime like buffer overflows, SQL injections, or cross-site scripting, application security testing in the CI pipelines often translates into considerably shorter fix times. In the case of hardcoded credentials, the situation is different. No gains are to be expected in terms of remediation when comparing incidents that surface here against those that are found through the VCS integration (as a matter of fact, incidents detected during CI scans are also raised in the GitGuardian dashboard, since the remote branches live in the centralized repository).

You should regard secrets that enter centralized remote repositories as compromised, no matter how they found their way inside. The remediation process needs to get triggered in full in such a case; you should revoke and rotate the credentials before re-running security checks again.

Advantages

Automating security testing in the CI pipelines is a great strategy to quickly raise the awareness of both developer and DevOps engineering teams around the problem of hardcoded secrets.

Integrate ggshield in CI workflows

1. Create a service account for the GitGuardian API
2. Set up CI/CD Integrations with ggshield
   1. Jenkins CI
   2. GitHub Actions
   3. GitLab CI/CD
   4. Azure pipelines
   5. Bitbucket pipelines
   6. Circle CI
   7. Drone CI
   8. Travis CI
   9. Scan Docker images after the build job