Realtime Secret Mitigation
Last updated
Was this helpful?
Last updated
Was this helpful?
Hardcoded secrets mitigation is a tedious process that may disrupt development operations, especially when it requires the secret to be rotated. However, Arnica enables an automated hardcoded secret mitigation option, which enforces a "zero new hardcoded secrets" policy. This configuration prevents new hardcoded secrets from being committed while empowering the developers. Secrets are identified and blocked on push, and developers are given the ability to dismiss secrets when the use-case is deemed acceptable, such as when a private key is used for testing purposes only.
Arnica can mitigate hardcoded secrets on every git push
event across all integrated source code repositories.
Historical secrets which were pushed to the git repository beforehand cannot be mitigated by design, as the rewrite of the commits may cause disruption with existing pull requests and development work.
Arnica scans every commit in each git push
event to detect and validate hardcoded secrets. If a hardcoded secret is detected, and the secret matches existing , Arnica then resets the branch to the pre-pushed state or to the commit before the detected hardcoded secret was introduced. This process takes seconds.
Secrets policies can be configured to notify developers of channels each time a hardcoded secret is detected or mitigated in real time. Both options are explained in detail in the page.
Arnica utilizes to communicate with specific channels or specific individuals.
When a new hardcoded secret is sent to a channel (e.g. on Slack or Microsoft Teams), the finding details will appear without the ability to act on it.
When a new hardcoded secret is sent to an individual, such as the code pusher, a dismiss button will appear to ask the developer if the secret should be dismissed. If the user selects this option, a justification would be required to dismiss the finding.
Below are examples of messages sent to the code pusher on Slack and Microsoft Teams.
Arnica can mitigate the hardcoded secret while providing a simple developer experience that enables the developer to keep the recently saved work on the git remote server/service, while not exposing any hardcoded secrets in the git history.
To do it, Arnica creates a mitigated branch with the same name as the original feature branch, appended with -mitigated-by-Arnica
. For example, if the feature branch name is my-urgent-feature
, the mitigated branch will be called my-urgent-feature-mitigated-by-Arnica
. This mitigated branch has all code changes that the original branch has, excluding the hardcoded secrets, which are masked with *
where applicable.
When all secrets are scanned on a given git push
event, Arnica can be configured to send a notification to the code pusher with the generated command line snippet to overwrite the local git history of the recently pushed code.