Code Secrets

LFX Security has collaborated with BluBracket to scan for valuable private information and non-inclusive words in open source code, we call this information “code secrets”. Unearthing code secrets has made the open source projects more secure and the code security is enhanced to a great extent by detecting and monitoring the risks thus improving the code.

In order to scan for code secrets, projects need to be onboarded to the BluBracket platform.

LFX team will share the link with the project maintainer to install the LFX Security GitHub App to onboard the project. The project maintainer should install the LFX Security GitHub App.

Installing LFX Security GitHub App

The project maintainer of the project will receive the LFx Security GitHub App link from the LFX team. The project maintainer should install the LFx Security GitHub App inorder to onboard the project.

To install the LFX Security GitHub App, perform the following steps:

1.Click the link that is shared in the email which is received from the LFX team.

2.You need to sign with the login credentials of your GitHub account. Enter the Username, Password and click Sign in.

GitHub Login

3.List of GitHub organization associated with the login account are listed and displayed. Select the required organization.

GitHub Organizations

4.The Install & Authorize LFx Security GitHub App page appears. This page provides the following information:

  • Information on the permission requested for the selected repositories. The LFX Security requests the following permissions:

    • Read access to administer, code, check commit status, lookup members, and other metadata.

    • Read and write access to organization hooks, pull requests, and repository hooks.

    • Installing and authorizing LFX Security GitHub App immediately grants these permissions on your account:

    • Read access to emails

  • Access to the repositories. You can either provide access to all the repositories or the for the selected repositories in the GitHub organization.

Click Install & Authorize to install the LFX Security GitHub App.

Install Permissions

5.The LFX Security Service GitHub app is installed successfully. You can see the installation success message.

Installation Complete

You will also receive an email after successful installation of the LFX Security GitHub App.

Scanning of Projects for Code Secrets

After onboarding the projects, scanning of projects for code secrets is carried out by LFX Security platform. The LFX Security platform will scan the repositories and detect the code secrets and notifications for the selected organization or repository.

Project Code Secrets

LFX Security will scan the repositories and organizations for code secrets such as passwords, JWT tokens, AWS access keys, terraform state file and non enterprise webhooks.

To access code secrets for a project or repository, perform the following steps:

1.Login to LFX Security and select the required project and click View Issues.

View Issues

2.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.

Code Secrets

3. The list provides the following details related to the code secrets:

  • Time - Date and time when the code secret is detected

  • Description - Type of code secret that is been detected

  • Repository - Name of the repository which contains the code from where the code secret has been detected

  • Developer - Name of the developer who has checked in the code in the repository

  • - Icon to minimize and maximize the code secret details.

Code Secret Details

The Code Secrets Revealed tab provides you the list of code secrets associated with the project or repository. You can check the details of the listed code secret with the help of the icon.

To check the details related to the listed code secrets, perform the following steps:

1.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.

2. Click the icon listed in front of the code secret.

Code Secret

3. The code secret details box appears with a list of all the details related to the code secret. The following details are available for you to check out:

  • File Details

    • Name - A hyperlink that will navigate you to the exact line of the code which is a potential threat or vulnerability.

    • Private Key - The code secret that was identified in the file. The value is masked such that it doesn’t show the exposed code secret value. To see the code secret, click on the filename or the commit ID.

    • Secret Hash - The hash ID value for the code secret.

  • Repository Details

    • Organization - Name of the GitHub organization.

    • Provider - Name of the provider where the code is hosted.

    • Description - A short info on the organization.

  • Commit Details

    • Commit ID - A hyperlink that will navigate you to the ID who has checked in the code.

    • Time - Date and time when the code is checked in.

    • Committed By - Name of the developer who has checked in the code.

    • Message - This is the message associated with the git commit when the code secret was introduced into the repository. This may provide a hint as to why the code secret was added or which bug fix or feature enhancement is associated with the change.

Code Secret Details

Actions Performed on the Code Secrets

Project Maintainers can perform various actions on the code secrets. These actions will help to mitigate the vulnerabilities for the code and the project. The icon provides you all the required details related to the code secrets, based on the details available, you can perform certain actions on these code secrets.

To perform actions on the code secrets, perform the following steps:

1.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.

2. Click the icon listed in front of the code secret.

Code Secret

3. The code secret details box appears with a list of all the details related to the code secret. Click Actions and select the required action to be performed for the listed code secret.

Code Secrets Actions

4.Under Actions drop-down, you can see the following actions:

  • Resolve - Use this option to resolve the code secret

  • Ignore - Use this option to ignore the code secret

  • False Positive - Use this option if you think the mentioned code secret is not a code secret

  • Dismiss - Use this option to dismiss the code secret

Categorization of Code Secrets

LFX Security allows you to categorize the code secrets using various parameters. Following are few of the categories available to filter or categorize code secrets:

  • Code Secret State

  • Alert Type

  • Repository

  • Developer

Filter of Code Secrets through Code Secret Type

You can filter the code secrets based on the code secret type. Following are the different type of code secret types:

  • Dismissed

  • False Positive

  • Active

Code Secret Type Filter

Filter of Code Secrets through Alert Type

You can filter the code secrets based on the alert type. Following are the different type of alert types:

  • Repo Requires Insufficient Number of Reviewers

  • Repo Scan Match

  • User Edited In Repo

  • Web Hook Url Non Enterprise

Alert Type Filter

Filter of Code Secrets through Repository

You can filter the code secrets based on different repositories in the GitHub organization.

Repository Filter

Filter of Code Secrets through Developers

You can filter the code secrets based on individual developers who have checked in their code in the repositories.

Developer Filter

You can use the Reset option to clear all the filters.

Scanning of Projects for Notifications

Code secrets will provide generic notifications related to the repositories. These notifications are generic notifications which are not fatal even if ignored. These notifications will provide information to the project maintainers on their projects and repositories.

Few of the notifications provided by code secrets are:

  • Web hook URL non enterprise

  • Repo forked

  • Users edited in the repo

Code Secret Notifications

LFX Security will scan the repositories and organizations and provide various notifications related to them.

To access code secrets notifications for a project or repository, perform the following steps:

1.Login to LFX Security and select the required project and click View Issues.

View Issues

2.Select Code Secrets from the top menu. The Code secrets notifications are listed under the NOTIFICATIONS tab.

Code Secret Notifications

3.The list provides the following details related to the code secrets notifications:

  • Time - Date and time when the code secret notification is detected

  • Description - Type of code secret notification that is been detected

  • Repository - Name of the repository which contains the code from where the code secret notification has been detected

  • Developer - Name of the developer who has checked in the code in the repository

  • - Icon to minimize and maximize the code secret details.

Code Secret Notification Details

The Notifications tab provides you the list of notifications associated with the project or repository. You can check the details of the listed notification with the help of the icon.

To check the details related to the listed notification, perform the following steps:

1.Select Code Secrets from the top menu. The Code secret notifications are listed under the NOTIFICATION tab.

2. Click the icon listed in front of the notification.

Notification

3. The notification details box appears with a list of all the details related to the notification. The following details are available for you to check out:

  • Repository - Name of the repository

  • Repo URL - URL of the repository

  • Source Repo URL - Source URL of the repository

  • New file copies count - Number of new files

  • New in file copies count - Number of in files

  • New out file copies count - Number of out files

Notifications Details

Filter of Notifications through Event Type

You can filter the notifications based on the event types.

Event Type Filter