⏪

Realtime Secret Mitigation

Summary

Hardcoded secrets mitigation is a tedious process that may disrupt development operations, especially when it requires the secret to be rotated. However, Arnica enables an automated hardcoded secret mitigation option, which enforces a "zero new hardcoded secrets" policy. This configuration prevents new hardcoded secrets from being committed while empowering the developers. Secrets are identified and blocked on push, and developers are given the ability to dismiss secrets when the use-case is deemed acceptable, such as when a private key is used for testing purposes only.

What can be mitigated?

Arnica can mitigate hardcoded secrets on every git push event across all integrated source code repositories.
Historical secrets which were pushed to the git repository beforehand cannot be mitigated by design, as the rewrite of the commits may cause disruption with existing pull requests and development work.

Realtime mitigation process

Arnica scans every commit in each git push event to detect and validate hardcoded secrets. If a hardcoded secret is detected, and the secret matches existing policy conditions, Arnica then resets the branch to the pre-pushed state or to the commit before the detected hardcoded secret was introduced. This process takes seconds.
Arnica resets the branch to the pre-pushed state to prevent potential adversaries from cloning the repository and iterating through the git tree to identify these secrets.

Developer experience

Secrets policies can be configured to notify developers of channels each time a hardcoded secret is detected or mitigated in real time. Both options are explained in detail in the secrets policy settings page.

Notification only

Arnica utilizes chat integrations to communicate with specific channels or specific individuals.
When a new hardcoded secret is sent to a channel (e.g. on Slack or Microsoft Teams), the finding details will appear without the ability to act on it.
When a new hardcoded secret is sent to an individual, such as the code pusher, a dismiss button will appear to ask the developer if the secret should be dismissed. If the user selects this option, a justification would be required to dismiss the finding.
Below are examples of messages sent to the code pusher on Slack and Microsoft Teams.
Slack notification on hardcoded secret detection
Microsoft Teams notification on hardcoded secret detection

Mitigation via `git reset`

Arnica can mitigate the hardcoded secret while providing a simple developer experience that enables the developer to keep the recently saved work on the git remote server/service, while not exposing any hardcoded secrets in the git history.
To do it, Arnica creates a mitigated branch with the same name as the original feature branch, appended with -mitigated-by-Arnica. For example, if the feature branch name is my-urgent-feature, the mitigated branch will be called my-urgent-feature-mitigated-by-Arnica. This mitigated branch has all code changes that the original branch has, excluding the hardcoded secrets, which are masked with * where applicable.
The mitigation process does NOT break production code deployments from the following reasons:
  1. 1.
    New hardcoded secrets are typically pushed to a feature branch before being merged into a production branch. Arnica mitigates within these feature branches.
  2. 2.
    Production branches are typically protected by branch protection policies. Arnica respects these policies and avoids the reset of these branches.
  3. 3.
    The mitigated branch is separate from the feature branch.
When all secrets are scanned on a given git push event, Arnica can be configured to send a notification to the code pusher with the generated command line snippet to overwrite the local git history of the recently pushed code.