Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security (IaC)
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Summary
  • What can be mitigated?
  • Realtime mitigation process
  • Developer experience
  • Notification only
  • Mitigation via `git reset`

Was this helpful?

  1. Hardcoded Secrets

Realtime Secret Mitigation

PreviousSecret DetectionNextSecrets Policy Settings

Last updated 1 year ago

Was this helpful?

Summary

Hardcoded secrets mitigation is a tedious process that may disrupt development operations, especially when it requires the secret to be rotated. However, Arnica enables an automated hardcoded secret mitigation option, which enforces a "zero new hardcoded secrets" policy. This configuration prevents new hardcoded secrets from being committed while empowering the developers. Secrets are identified and blocked on push, and developers are given the ability to dismiss secrets when the use-case is deemed acceptable, such as when a private key is used for testing purposes only.

What can be mitigated?

Arnica can mitigate hardcoded secrets on every git push event across all integrated source code repositories.

Historical secrets which were pushed to the git repository beforehand cannot be mitigated by design, as the rewrite of the commits may cause disruption with existing pull requests and development work.

Realtime mitigation process

Arnica scans every commit in each git push event to detect and validate hardcoded secrets. If a hardcoded secret is detected, and the secret matches existing , Arnica then resets the branch to the pre-pushed state or to the commit before the detected hardcoded secret was introduced. This process takes seconds.

Arnica resets the branch to the pre-pushed state to prevent potential adversaries from cloning the repository and iterating through the git tree to identify these secrets.

Developer experience

Secrets policies can be configured to notify developers of channels each time a hardcoded secret is detected or mitigated in real time. Both options are explained in detail in the page.

Notification only

Arnica utilizes to communicate with specific channels or specific individuals.

When a new hardcoded secret is sent to a channel (e.g. on Slack or Microsoft Teams), the finding details will appear without the ability to act on it.

When a new hardcoded secret is sent to an individual, such as the code pusher, a dismiss button will appear to ask the developer if the secret should be dismissed. If the user selects this option, a justification would be required to dismiss the finding.

Below are examples of messages sent to the code pusher on Slack and Microsoft Teams.

Mitigation via `git reset`

Arnica can mitigate the hardcoded secret while providing a simple developer experience that enables the developer to keep the recently saved work on the git remote server/service, while not exposing any hardcoded secrets in the git history.

To do it, Arnica creates a mitigated branch with the same name as the original feature branch, appended with -mitigated-by-Arnica. For example, if the feature branch name is my-urgent-feature, the mitigated branch will be called my-urgent-feature-mitigated-by-Arnica. This mitigated branch has all code changes that the original branch has, excluding the hardcoded secrets, which are masked with * where applicable.

The mitigation process does NOT break production code deployments from the following reasons:

  1. New hardcoded secrets are typically pushed to a feature branch before being merged into a production branch. Arnica mitigates within these feature branches.

  2. Production branches are typically protected by branch protection policies. Arnica respects these policies and avoids the reset of these branches.

  3. The mitigated branch is separate from the feature branch.

When all secrets are scanned on a given git push event, Arnica can be configured to send a notification to the code pusher with the generated command line snippet to overwrite the local git history of the recently pushed code.

⏪
policy conditions
secrets policy settings
chat integrations
Slack notification on hardcoded secret detection
Microsoft Teams notification on hardcoded secret detection