LogoLogo
  • LFX Platform
  • Single Sign-On (SSO)
    • Create an Account
    • Sign in to Your Account
      • Sign in with Google
      • Sign in with GitHub
      • Sign in with LinkedIn
    • Manage Your Profile
    • Forgot Password
    • Have a question
    • Log Out
  • Individual Dashboard (MyProfile)
    • Release Notes
      • V0.7.0
      • V0.6.25 and V0.6.26
    • Quick Start Guide
      • Home Page
      • Profile
      • LF Events
      • Meetings
      • My Insights Beta Version
      • Purchases
      • Settings
    • Home Page
    • Share Your Experience- Help Us Improve
    • Profile
      • Badges and Skills
      • Open Source Event Speaking Experience
      • Technical Contributors
      • Linux Foundation & Project Issued Certifications
      • Training Enrollment
      • Community Roles
      • Supported Projects
    • Meetings
      • Find Your Host Key
    • My Insights Beta Version
    • LF Events
      • Registered
      • Past
      • Visa Letters
        • Updating Visa Letter Application
      • Travel Funding
        • Community Events Funding
    • Purchases
      • Coupons
      • Transactions
      • Individual Enrollments
      • Purchase a Linux.com Email
    • Data and Privacy
      • Data Visibility
    • Showcase your Maintainer Badges in LFX NOW!
      • Maintainer Badge LFX Support
      • What do I have to do as a Project Administrator?
    • Settings
      • Password
      • Manage Profile Visibility
      • Basic Information
      • Email Management
        • Email Preferences
      • My Work History
    • TUX Rewards FAQs
  • Insights
    • Insights
      • Release Notes
        • Release Version: V0.1.13
        • Release Version: V0.1.1
        • Release Version: V0.1.0
      • Unlocking Data-Driven Potential with Insights
      • Intended Audience
      • How does Insights help you?
      • Core Concepts
      • Activities Types
      • Getting Started
        • Accessing Insights
        • Home Page
          • Foundation Cards
          • Accessing the Foundation Overview Page
            • Foundation Overview
              • Project Ecosystem
              • Distribution of Projects
              • Project Velocity
            • Foundation's Projects
          • Project Cards
          • COCOMO: Cost Estimation Simplified
      • Project Overview Page
        • Filter the Date Range
        • GitHub
          • Key Metrics and detailed Analysis
            • Contributor
            • Commits
            • Issues
            • Pull Requests
            • Forks
            • Stars
          • Contributor Leaderboard
          • Contributor Dependency
          • Active Days
          • Organization Dependency
          • Organization Leaderboard
          • Contribution outside work hours
          • Geographical Distribution
        • Gerrit
        • Confluence
          • Organization Leaderboard
          • Contributor Leaderboard
          • Most Popular Pages
          • Activities Trend by the Week
          • Activity Breakdown
          • New Organizations
          • Drifting Away Organizations
          • New Contributors
          • Drifting Away Contributors
          • Geographical Distribution
        • Mailing Lists
          • What Is a Mailing List?
          • Key Metrics
          • New Contributors
          • Most Active Contributors
          • New Organizations
          • Most Active Organizations
          • Geographical Distributions
          • Top Mailing Lists
          • Popular Threads
          • Recent Messages
      • Velocity
        • Performance Metrics
        • Lead Time
        • Average Lead Time By Pull Request Size
        • Average Review Time By Pull Request Size
        • Average Wait Time For 1st Review
        • Code Review Engagement
      • Productivity
        • Commits Per Active Day
        • Work Time Distribution Impact
        • New Contributors
        • Drifting Away Contributors
        • Engagement Gap
        • Effort By Pull Request Batch Size
      • Reports
        • Contributors Reports
        • Organizations Reports
        • Activities
        • Retention
        • Project Health
          • Project Popularity
          • Contributor Diversification
          • What to Do When the Project Health Score is Low?
      • GitHub Vs. Git Metrics
      • Troubleshooting and FAQs
      • Glossary
  • Community Data Platform
    • Quick Start Guide
    • Accessing Community Data Platform
    • Project Groups Page
      • My project groups
    • Integrations
      • GitHub Integration
      • Git Integration
      • Gerrit
      • Groups.Io
      • Confluence
      • Slack
      • X/Twitter Integration
      • Reddit Integration
      • Discord Integration
      • LinkedIn Integration
      • Cvent Integration
      • Training and Certifications
      • Dev Integration
      • Hacker News integration
      • Stack Overflow
    • FAQs
  • Project Control Center
    • Release Notes
    • V2 (Latest Version)
      • Overview
      • Homepage
      • Reports
        • Health Metrics
          • Participating Organization
          • Net Promoter Score (NPS)
          • Membership Churn
          • Outstanding Balance
          • Events
          • Training and Certifications
          • Code Contributions
          • Board Meeting Participation
          • Mailing Lists
          • Marketing
        • Marketing Metrics
      • Operations
        • Project Definition
        • Membership
        • Domains
        • Cloud Providers
        • User permissions
      • Collaborations
        • Committees
          • Adding a Committee
          • Adding Members to a Committee
          • Sending Emails to Committee Members
          • Deleting a Member from a Committee
          • Managing Committees
        • Meetings
          • Scheduling a Meeting
          • Manage Meetings
          • Clone Meetings
          • Cancel Meetings
          • Add Documents to Past Meetings
          • Verify Meeting Participants
          • Sending Emails to Meeting Attendees
          • Meeting FAQs
        • Wiki
        • Issue Tracker
        • Voting
        • Mailing Lists
        • Surveys
      • Bookmarks
      • PCC FAQs
        • Meetings FAQs
    • V1 (Prior Version)
      • Release Notes
        • PCC V1.6.6 Release
        • PCC V1.6.5 Release
        • PCC V1.6.4 Release
        • PCC V1.6.3 Release
        • PCC V1.6.0 Release
        • PCC V1.5.1 Release
        • PCC - V1.4 Release
        • PCC - June 28/2022 Release
        • PCC - April 20/2022 Release
        • PCC - March 15/2022 Release
      • Overview
      • PCC Dashboard
      • Role-Based Access Control
        • Roles and Permissions for Project Setup
        • Roles and Permissions for IT Services
      • Adding a Main Project
      • Operations for a Project
        • Project Definition for a Project
        • Legal Setup for a Project
        • Membership Setup for a Project
        • Setting up a Domain for a Project
          • Transferring a Domain
          • Redirecting Your Domain
          • Adding a Service Record
          • Setting up the Email Services
        • Cloud Providers
      • Collaboration Services for a Project
        • Committees Setup for a Project
        • Mailing List
        • Issue Tracker for a Project
        • Setting up Wiki
        • Meeting Management
      • Development
        • Source Control
      • LFX Tools
        • Security
          • Onboarding Projects from GitHub
          • Manage Vulnerabilities
          • Manage False Positives
            • Regular Expressions Cheat Sheet
            • Ignore.yml File
          • Manage Non Inclusive Naming
        • EasyCLA
  • Organization Dashboard
    • Release Notes
      • Release v1.8.0
      • Release v1.7.0
      • Organization Dashboard - 03/July/2023 Release
      • Organization Dashboard - 03/October/2022 Release
    • What's New
      • Related Company Visibility
    • Learn About LFX Data
    • Introduction
    • Home page
    • Membership
      • Your Active Memberships
      • Renewing an Expired Membership
      • Discover New Open Source Project
    • Code Contributions
    • Training & Certifications
    • Events
      • Overview
      • Sponsorship Insights
      • Travel Funding
    • Access
    • Users FAQs
    • Profile
    • FAQs
  • Security
    • Release Notes
      • LFX Security V2.0.33 Release
      • LFX Security V2.0.32 Release
      • LFX Security V2.0.31 Release
      • LFX Security V2.0.30 Release
      • LFX Security V2.0.29 Release
      • LFX Security V2.0.28 Release
      • LFX Security V2.0.27 Release
      • LFX Security V2.0.26 Release
    • Overview
    • LFX Security FAQs
    • Onboarding your Project
    • LFX Security Requirements
      • Supported Languages
    • Add a Project to LFX Security
    • Open LFX Security
    • Authorization Page
    • Security Status Overview
    • Investigate and Remediate Vulnerabilities
    • Investigate Dependencies in the Application Dependency Tree
    • Get License Information
  • EasyCLA
    • V2
      • Releases and Known Issues
      • Getting Started
        • Prerequisites
        • EasyCLA Troubleshooting
          • EasyCLA Disabled
        • EasyCLA FAQs
        • EasyCLA Development Components
      • Project Managers
        • Sign in to Project Control Center
        • Set up Project on EasyCLA
        • Create New CLA Group
        • Update Template
        • Add or Remove a Project from CLA Group
        • View and Manage CLA Group Details
        • Add and Manage GitHub Organizations
        • Add and Manage Gerrit Organizations
        • Add and Manage GitLab Groups
        • View Connection Status of Git Organizations and Repositories
        • Enforce or Remove CLA Mechanism
        • Invalidate a Contributor's Signature
        • Uninstall the EasyCLA Application
      • Embargo, Sanction, and OFAC Compliance for Secure CLA Signing
      • Contributors
        • Individual Contributor
        • Corporate Contributor
      • Corporate CLA Managers
        • Sign in to the EasyCLA Corporate Console
        • Coordinate Signing CLA and become initial CLA Manager
        • Add or Delete CLA Managers
        • Approve and Manage Contributors
      • EasyCLA and Co-Author Compliance Guide
      • CCLA Signatories
        • Review and sign a Corporate CLA by Request
      • Configuring Merge Queue on GitHub for Branch Protection
      • Glossary
      • Corporate CLA Console
        • Dashboard
        • Projects
        • Manage your Profile
  • Mentorship
    • Program Schedule & Timelines
    • Platform Overview
      • View Mentorship Program Details
      • View Mentor/Mentee Profile
      • Toggle Between Mentorship and Crowdfunding
    • Administrators
      • Enroll Your Program
        • Mentorship Project Enrollment Form
      • Edit a Project
      • Open & Close Mentorship Applications
      • Add Mentors
      • View Mentee Profile
      • Manage Mentees Applications
      • Manage Mentees Tasks
      • Approve Mentee Stipends
      • Contact a Mentee
    • Mentees
      • Create Mentee Profile
      • Apply to Mentorship Program
      • Withdraw your Application
      • View your Application Status
      • Manage Your Tasks
      • Manage Your Mentorship Profile
      • Submit Expensify Report to Receive Mentorship Stipend
    • Mentors
      • Become a Mentor
        • Request to be Added to a Program
        • Admin Invites a Mentor to a Program
      • Review Mentees Applications
      • Manage Mentees Tasks
      • Contact a Mentee
      • Manage Your Mentorship Profile
    • Mentee Stipends
      • Total Stipend Amount
    • Mentee Guide
      • Introduction
      • How Mentorship Program Works
      • Benefits for Mentees
      • What Makes a Good Mentee
      • Am I Eligible to Become a Mentee?
      • How to Apply
      • Not Selected?
      • Start the Journey
        • What is Expected of You
        • Evaluations
        • How to Graduate Successfully
      • Additional Resources
      • Code of Conduct
      • Mentee FAQs
    • Mentor Guide
      • Introduction
      • Participant Roles
      • Getting Started
        • Why to Become a Mentor
        • Can I be a Mentor?
        • Benefits for Mentors
        • What Makes a Good Mentor
        • How to Select Mentees
      • Mentoring Best Practices
      • Maintain Open Source Culture
      • Start Mentoring
        • Create Project Plan and Prepare Mentees
        • Set Expectations
        • Managing the Project Plan
        • Mentee Evaluations
      • Additional Resources
      • Mentorship FAQs
      • Code of Conduct
    • Mentorship FAQs
    • Mentorship - Get Help
  • Crowdfunding
    • Dashboard Overview
      • Projects
      • Events
      • Travel Funds
      • Security Audit
      • General Funds
      • Integrated Services for a Project
      • Toggle Between Crowdfunding and Mentorship
    • Mandatory Compliance for Crowdfunding
    • Apply for Crowdfunding
      • Add a GitHub Project
      • Add a Git Project
      • Add a Project for Security Audit
      • Add General Fund
      • Add an Event
      • Add a Travel Fund
    • Donate/Sponsor
      • Donate as an Individual
      • Donate as a Sponsor
        • Add, Edit, or Delete an Organization
      • Sponsor Events
    • Register for an Event
    • Project Application
    • Event Application
    • Travel Fund Application
    • Security Audit Application
    • General Fund Application
    • Manage Your Crowdfunding Account
    • Get Reimbursed
    • Submit Travel Funding Reimbursement Expensify Report
    • Create and Submit an Expensify Report
    • Crowdfunding FAQs
    • Crowdfunding - Get Help
  • Linux Foundation Individual Supporter Program
    • Enroll in the Linux Foundation Individual Supporter Program
    • Purchase Lifetime Linux.com Email Alias
Powered by GitBook

Copyright © 2022 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.

On this page
  • Code Secrets Detected
  • Scanning of Projects for Code Secrets
  • Project Code Secrets
  • Code Secret Details
  • Actions Performed on the Code Secrets
  • Categorization of Code Secrets
  • Scanning of Projects for Notifications
  • Code Secret Notifications
  • Code Secret Notification Details
  • Filter of Notifications through Event Type

Was this helpful?

Edit on GitHub
Export as PDF
  1. Security

Code Secrets

Last updated 8 months ago

Was this helpful?

LFX Security has collaborated with BluBracket to scan for valuable private information and non-inclusive words in open source code, we call this information “code secrets”. Unearthing code secrets has made the open source projects more secure and the code security is enhanced to a great extent by detecting and monitoring the risks thus improving the code.

Code Secrets Detected

Code Secrets Detected donut chart provides you the number of code secrets detected in the project. It shows you various code secrets detected in the project. On click of the detected code secret, the page navigates to the Code Secret details page.

Scanning of Projects for Code Secrets

After onboarding the projects, scanning of projects for code secrets is carried out by LFX Security platform. The LFX Security platform will scan the repositories and detect the code secrets and notifications for the selected organization or repository.

Project Code Secrets

LFX Security will scan the repositories and organizations for code secrets such as passwords, JWT tokens, AWS access keys, terraform state file and non enterprise webhooks.

To access code secrets for a project or repository, perform the following steps:

2.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS EXPOSED tab.

3. The list provides the following details related to the code secrets:

  • Detected On- Date and time when the code secret is detected

  • Alert Type- Type of code secret that is been detected

  • Repository - Name of the repository which contains the code from where the code secret has been detected

  • Developer - Name of the developer who has checked in the code in the repository

  • Status - Status of the code secret whether the code secret has been resolved or reviewed

  • ​Take Action - Allows you to take action on the code secrets.

You should have the necessary permission to take action on the code secrets. With out necessary permissions, the Take Action tab will not be available to take action on code secrets.

Code Secret Details

The Code Secrets Revealed tab provides you the list of code secrets associated with the project or repository. You can check the details of the listed code secret with the help of Take Action tab.

To check the details related to the listed code secrets, perform the following steps:

1.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.

3. The code secret details box appears with a list of all the details related to the code secret. The following details are available for you to check out:

  • File Details

    • Name - A hyperlink that will navigate you to the exact line of the code which is a potential threat or vulnerability.

    • Private Key - The code secret that was identified in the file. The value is masked such that it doesn’t show the exposed code secret value. To see the code secret, click on the filename or the commit ID.

    • Secret Hash - The hash ID value for the code secret.

  • Repository Details

    • Organization - Name of the GitHub organization.

    • Provider - Name of the provider where the code is hosted.

    • Description - A short info on the organization.

  • Commit Details

    • Commit ID - A hyperlink that will navigate you to the ID who has checked in the code.

    • Time - Date and time when the code is checked in.

    • Committed By - Name of the developer who has checked in the code.

    • Message - This is the message associated with the git commit when the code secret was introduced into the repository. This may provide a hint as to why the code secret was added or which bug fix or feature enhancement is associated with the change.

Actions Performed on the Code Secrets

Project Maintainers can perform various actions on the code secrets. These actions will help to mitigate the vulnerabilities for the code and the project. The icon provides you all the required details related to the code secrets, based on the details available, you can perform certain actions on these code secrets.

To perform actions on the code secrets, perform the following steps:

1.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.

3. The code secret details box appears with a list of all the details related to the code secret. Click Actions and select the required action to be performed for the listed code secret.

4.Under Actions, you can see the following actions:

  • Resolve - Use this option to resolve the code secret

  • Ignore - Use this option to ignore the code secret

  • False Positive - Use this option if you think the mentioned code secret is not a code secret

Categorization of Code Secrets

LFX Security allows you to categorize the code secrets using various parameters. Following are few of the categories available to filter or categorize code secrets:

  • Alert Type

  • Repository

  • Developer

To add filter, perform the following:

1.Click Add Filters + and select the required filters and click Apply Filters.

Scanning of Projects for Notifications

Code secrets will provide generic notifications related to the repositories. These notifications are generic notifications which are not fatal even if ignored. These notifications will provide information to the project maintainers on their projects and repositories.

Few of the notifications provided by code secrets are:

  • Web hook URL non enterprise

  • Repo forked

  • Users edited in the repo

Code Secret Notifications

LFX Security will scan the repositories and organizations and provide various notifications related to them.

To access code secrets notifications for a project or repository, perform the following steps:

2.Select Code Secrets from the top menu. The Code secrets notifications are listed under the NOTIFICATIONS tab.

3.The list provides the following details related to the code secrets notifications:

  • Detected On- Date and time when the code secret notification is detected

  • Event Type - Type of code secret notification that is been detected

  • Repository - Name of the repository which contains the code from where the code secret notification has been detected

  • Developer - Name of the developer who has checked in the code in the repository

Code Secret Notification Details

To check the details related to the listed notification, perform the following steps:

1.Select Code Secrets from the top menu. The Code secret notifications are listed under the NOTIFICATION tab.

3. The notification details box appears with a list of all the details related to the notification. The following details are available for you to check out:

  • Repository - Name of the repository

  • Repo URL - URL of the repository

  • Source Repo URL - Source URL of the repository

Filter of Notifications through Event Type

You can filter the notifications based on the event types.

To add filter, perform the following:

1.Click Add Filters + and select the required filters and click Apply Filters.

1.Login to and select the required project and click View Dashboard.

2. Click the icon listed in front of Take Action.

2. Click the icon listed in front of Take Action.

1.Login to and select the required project and click View Dashboard.

View Dashboard

​ - Icon to minimize and maximize the code secret details.

The Notifications tab provides you the list of notifications associated with the project or repository. You can check the details of the listed notification with the help of the icon.

2. Click the icon listed in front of the notification.

LFX Security
LFX Security
Code Secrets Detected
View Dashboard
Code Secrets
Code Secrets Details
Code Secret Details
Code Secret
Code Secrets Actions
Adding Filters
Code Secret Notifications
Notification Details
Notifications Details
Adding Filters