Search

Secrets Security

A full-stack, multidimensional approach to finding and securing exposed and vulnerable secrets across all files in your repositories and CI/CD pipelines.
Request a demo
secrets-gitlab

Developers use secrets to enable their applications to securely communicate with other cloud services. Storing secrets in a file in version control systems (VCS) like GitHub is not secure, creating potential vulnerabilities that can be exploited. This often happens when developers leave their secrets in the source code. Once a secret is committed into a repo, it is saved in its history, and any user can easily access those keys. This is especially risky if the repo contents are made public, making that resource easily found and utilized by threat actors.

Most tools only selectively scan for secrets at just one phase of the application lifecycle and can miss certain types of secrets altogether. Cortex® Cloud can ensure no secret is accidentally exposed while minimizing false positives and maintaining development velocity.

Hard-coded secrets are common for cloud-native development.

Hardcoded credentials are easier for developers to use and access but are not a best practice. It’s especially dangerous in matrixed development organizations and within cloud-based repos. Unfortunately, they are commonplace, with over 41% of repos containing secrets.

Public exposure amplifies risk.

Secrets can often be exposed in public repositories in your VCS or registry. Additionally, any secret added directly to source code, IaC, CI/CD configuration files, etc. may be visible in a VCS or can be accidentally exposed in build logs.

Siloed tooling causes coverage gaps.

Standalone secrets scanners often lack consistent coverage across both build and runtime. Without being embedded into a broader CNAPP strategy, organizations are left with an incomplete picture of risk.

Cortex Cloud makes it seamless for developers to prevent exposed secrets in build and runtime.

By integrating into DevOps tools and across code, build, deploy, and runtime, Cortex Cloud continuously scans for exposed secrets across the entire development lifecycle. With a powerful multidimensional approach that combines both a signature-based policy library and a fine-tuned entropy model, Cortex Cloud identifies secrets in nearly any file type, from IaC templates, golden images, and Git repositories.
  • Multiple detection methods identify complex secrets like random strings or passwords.
  • Risk factors provide context for secrets to streamline prioritization and remediation.
  • Natively integrated into developer tools and workflows.
  • 100+ signature library.
    100+ signature library.
  • Fine-tuned entropy model.
    Fine-tuned entropy model.
  • Supply chain visualization.
    Supply chain visualization.
  • Broad coverage.
    Broad coverage.
  • Detection pre-commit in VCS and CI pipelines.
    Detection pre-commit in VCS and CI pipelines.
  • Detection in running workloads and apps.
    Detection in running workloads and apps.
Solution

A Developer-First, Multidimensional Approach to Secrets Security

Precise detection

Secrets using regular expressions (access tokens, API keys, encryption keys, OAuth tokens, certificates, etc.) are the most commonly identified. Cortex Cloud leverages over 100 signatures to detect and alert on the wide array of secrets with known, predictable expressions.

  • Vast coverage

    100+ domain-specific secret detectors ensure precise alerting in both build and runtime.

  • Broad and deep scanning

    Scan for secrets in all files in your repositories and the version histories across your integrations.

Precise detection

Fine-tuned entropy model

Not all secrets are consistent or identifiable patterns. For example, random string usernames and passwords wouldn't be detected by signature based methods because they're random, potentially leaving “keys to the kingdom” exposed and publicly accessible. Cortex Cloud augments signature-based detection with a fine-tuned entropy model.

  • Fine-tuned entropy model

    Eliminate false positives with a fine-tuned entropy model that leverages string context to precisely identify complex secret types.

  • Unrivaled visibility

    Gain comprehensive visibility and control across the vast landscape of secrets used by cloud developers.

Fine-tuned entropy model

Developer feedback

Developers can analyze risks associated with exposed or vulnerable secrets in a few different ways:

  • Projects

    Native integrations in dev workflows and seamlessly surface detected secrets within a file that is non-compliant.

  • Supply chain

    The Supply Chain Graph displays the source code file nodes. A detailed investigation into the dependency tree helps developers identify the root cause of secret exposure.

  • Pull request comments

    Users can spot potentially leaked secrets as part of their pull request scans, which can be easily removed.

  • Pre-Commit hooks and CI integrations

    Leverage the pre-commit hook to block secrets from being pushed to a repository before a pull request is opened.

Developer feedback

Additional Application Security capabilities

INFRASTRUCTURE AS CODE SECURITY

Automated IaC security embedded in developer workflows

Learn more

SOFTWARE COMPOSITION ANALYSIS (SCA)

Highly accurate and context-aware open source security and license compliance

Learn more

SOFTWARE SUPPLY CHAIN SECURITY

Harden your CI/CD pipelines, reduce your attack surface and protect your application development environment.

Learn more

INFRASTRUCTURE AS CODE (IaC) SECURITY

Identify and fix misconfigurations in Terraform, CloudFormation, ARM, Kubernetes, and other IaC templates

Learn more

Get the latest news, invites to events, and threat alerts