Code Secrets
LFX Security has collaborated with BluBracket to scan for valuable private information and non-inclusive words in open source code, we call this information “code secrets”. Unearthing code secrets has made the open source projects more secure and the code security is enhanced to a great extent by detecting and monitoring the risks thus improving the code.
In order to scan for code secrets, projects need to be onboarded to the BluBracket platform.
LFX team will share the link with the project maintainer to install the LFX Security GitHub App to onboard the project. The project maintainer should install the LFX Security GitHub App.
The project maintainer of the project will receive the LFx Security GitHub App link from the LFX team. The project maintainer should install the LFx Security GitHub App inorder to onboard the project.
To install the LFX Security GitHub App, perform the following steps:
1.Click the link that is shared in the email which is received from the LFX team.
2.You need to sign with the login credentials of your GitHub account. Enter the Username, Password and click Sign in.
3.List of GitHub organization associated with the login account are listed and displayed. Select the required organization.
4.The Install & Authorize LFx Security GitHub App page appears. This page provides the following information:
Information on the permission requested for the selected repositories. The LFX Security requests the following permissions:
Read access to administer, code, check commit status, lookup members, and other metadata.
Read and write access to organization hooks, pull requests, and repository hooks.
Installing and authorizing LFX Security GitHub App immediately grants these permissions on your account:
Read access to emails
Access to the repositories. You can either provide access to all the repositories or the for the selected repositories in the GitHub organization.
Click Install & Authorize to install the LFX Security GitHub App.
5.The LFX Security Service GitHub app is installed successfully. You can see the installation success message.
You will also receive an email after successful installation of the LFX Security GitHub App.
After onboarding the projects, scanning of projects for code secrets is carried out by LFX Security platform. The LFX Security platform will scan the repositories and detect the code secrets and notifications for the selected organization or repository.
LFX Security will scan the repositories and organizations for code secrets such as passwords, JWT tokens, AWS access keys, terraform state file and non enterprise webhooks.
To access code secrets for a project or repository, perform the following steps:
1.Login to LFX Security and select the required project and click View Issues.
2.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.
3. The list provides the following details related to the code secrets:
Time - Date and time when the code secret is detected
Description - Type of code secret that is been detected
Repository - Name of the repository which contains the code from where the code secret has been detected
Developer - Name of the developer who has checked in the code in the repository
- Icon to minimize and maximize the code secret details.
The Code Secrets Revealed tab provides you the list of code secrets associated with the project or repository. You can check the details of the listed code secret with the help of the 
icon.
To check the details related to the listed code secrets, perform the following steps:
1.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.
2. Click the icon listed in front of the code secret.
3. The code secret details box appears with a list of all the details related to the code secret. The following details are available for you to check out:
File Details
Name - A hyperlink that will navigate you to the exact line of the code which is a potential threat or vulnerability.
Private Key - The code secret that was identified in the file. The value is masked such that it doesn’t show the exposed code secret value. To see the code secret, click on the filename or the commit ID.
Secret Hash - The hash ID value for the code secret.
Repository Details
Organization - Name of the GitHub organization.
Provider - Name of the provider where the code is hosted.
Description - A short info on the organization.
Commit Details
Commit ID - A hyperlink that will navigate you to the ID who has checked in the code.
Time - Date and time when the code is checked in.
Committed By - Name of the developer who has checked in the code.
Message - This is the message associated with the git commit when the code secret was introduced into the repository. This may provide a hint as to why the code secret was added or which bug fix or feature enhancement is associated with the change.
Project Maintainers can perform various actions on the code secrets. These actions will help to mitigate the vulnerabilities for the code and the project. The icon provides you all the required details related to the code secrets, based on the details available, you can perform certain actions on these code secrets.
To perform actions on the code secrets, perform the following steps:
1.Select Code Secrets from the top menu. The Code secrets are listed under the CODE SECRETS REVEALED tab.
2. Click the icon listed in front of the code secret.
3. The code secret details box appears with a list of all the details related to the code secret. Click Actions and select the required action to be performed for the listed code secret.
4.Under Actions drop-down, you can see the following actions:
Resolve - Use this option to resolve the code secret
Ignore - Use this option to ignore the code secret
False Positive - Use this option if you think the mentioned code secret is not a code secret
Dismiss - Use this option to dismiss the code secret
LFX Security allows you to categorize the code secrets using various parameters. Following are few of the categories available to filter or categorize code secrets:
Code Secret State
Alert Type
Repository
Developer
You can filter the code secrets based on the code secret type. Following are the different type of code secret types:
Dismissed
False Positive
Active
You can filter the code secrets based on the alert type. Following are the different type of alert types:
Repo Requires Insufficient Number of Reviewers
Repo Scan Match
User Edited In Repo
Web Hook Url Non Enterprise
You can filter the code secrets based on different repositories in the GitHub organization.
You can filter the code secrets based on individual developers who have checked in their code in the repositories.
You can use the Reset option to clear all the filters.
Code secrets will provide generic notifications related to the repositories. These notifications are generic notifications which are not fatal even if ignored. These notifications will provide information to the project maintainers on their projects and repositories.
Few of the notifications provided by code secrets are:
Web hook URL non enterprise
Repo forked
Users edited in the repo
LFX Security will scan the repositories and organizations and provide various notifications related to them.
To access code secrets notifications for a project or repository, perform the following steps:
1.Login to LFX Security and select the required project and click View Issues.
2.Select Code Secrets from the top menu. The Code secrets notifications are listed under the NOTIFICATIONS tab.
3.The list provides the following details related to the code secrets notifications:
Time - Date and time when the code secret notification is detected
Description - Type of code secret notification that is been detected
Repository - Name of the repository which contains the code from where the code secret notification has been detected
Developer - Name of the developer who has checked in the code in the repository
- Icon to minimize and maximize the code secret details.
The Notifications tab provides you the list of notifications associated with the project or repository. You can check the details of the listed notification with the help of the icon.
To check the details related to the listed notification, perform the following steps:
1.Select Code Secrets from the top menu. The Code secret notifications are listed under the NOTIFICATION tab.
2. Click the icon listed in front of the notification.
3. The notification details box appears with a list of all the details related to the notification. The following details are available for you to check out:
Repository - Name of the repository
Repo URL - URL of the repository
Source Repo URL - Source URL of the repository
New file copies count - Number of new files
New in file copies count - Number of in files
New out file copies count - Number of out files
You can filter the notifications based on the event types.
