Secrets Security

A full-stack, multidimensional approach to finding and securing exposed and vulnerable secrets across all files in your repositories and CI/CD pipelines.

Request a free trial

Developers use secrets to enable their applications to securely communicate with other cloud services. Storing secrets in a file in version control systems (VCS) like GitHub is not secure, creating potential vulnerabilities that can be exploited. This often happens when developers leave their secrets in the source code. Once a secret is committed into a repo, it is saved in its history, and any user can easily access those keys. This is especially risky if the repo contents are made public, making that resource easily found and utilized by threat actors.

Most tools only selectively scan for secrets at just one phase of the application lifecycle and can miss certain types of secrets altogether. Prisma® Cloud can ensure no secret is accidentally exposed while minimizing false positives and maintaining development velocity.

Hard-coded secrets are common for cloud-native development.

Hardcoded credentials are easier for developers to use and access but are not a best practice. It’s especially dangerous in matrixed development organizations and within cloud-based repos. Unfortunately, they are commonplace, with over 41% of repos containing secrets.

Public exposure amplifies risk.

Secrets can often be exposed in public repositories in your VCS or registry. Additionally, any secret added directly to source code, IaC, CI/CD configuration files, etc. may be visible in a VCS or can be accidentally exposed in build logs.

Siloed tooling causes coverage gaps.

Standalone secrets scanners often lack consistent coverage across both build and runtime. Without being embedded into a broader CNAPP strategy, organizations are left with an incomplete picture of risk.

Prisma Cloud makes it seamless for developers to prevent exposed secrets in build and runtime.

By integrating into DevOps tools and across code, build, deploy, and runtime, Prisma Cloud continuously scans for exposed secrets across the entire development lifecycle. With a powerful multidimensional approach that combines both a signature-based policy library and a fine-tuned entropy model, Prisma Cloud identifies secrets in nearly any file type, from IaC templates, golden images, and Git repositories.

Multiple detection methods identify complex secrets like random strings or passwords.
Risk factors provide context for secrets to streamline prioritization and remediation.
Natively integrated into developer tools and workflows.

100+ signature library.
Fine-tuned entropy model.
Supply chain visualization.
Broad coverage.
Detection pre-commit in VCS and CI pipelines.
Detection in running workloads and apps.

The Prisma Cloud Solution

A Developer-First, Multidimensional Approach to Secrets Security

Precise detection

Secrets using regular expressions (access tokens, API keys, encryption keys, OAuth tokens, certificates, etc.) are the most commonly identified. Prisma Cloud leverages over 100 signatures to detect and alert on the wide array of secrets with known, predictable expressions.

Vast coverage
100+ domain-specific secret detectors ensure precise alerting in both build and runtime.
Broad and deep scanning
Scan for secrets in all files in your repositories and the version histories across your integrations.

Fine-tuned entropy model

Not all secrets are consistent or identifiable patterns. For example, random string usernames and passwords wouldn't be detected by signature based methods because they're random, potentially leaving “keys to the kingdom” exposed and publicly accessible. Prisma Cloud augments signature-based detection with a fine-tuned entropy model.

Fine-tuned entropy model
Eliminate false positives with a fine-tuned entropy model that leverages string context to precisely identify complex secret types.
Unrivaled visibility
Gain comprehensive visibility and control across the vast landscape of secrets used by cloud developers.

Developer feedback

Developers can analyze risks associated with exposed or vulnerable secrets in a few different ways:

Projects
Native integrations in dev workflows and seamlessly surface detected secrets within a file that is non-compliant.
Supply chain
The Supply Chain Graph displays the source code file nodes. A detailed investigation into the dependency tree helps developers identify the root cause of secret exposure.
Pull request comments
Users can spot potentially leaked secrets as part of their pull request scans, which can be easily removed.
Pre-Commit hooks and CI integrations
Leverage the pre-commit hook to block secrets from being pushed to a repository before a pull request is opened.

Part of the CNAPP

The only way to ensure complete coverage when securing cloud-native applications is to embed secrets scanning at each layer and step of the development lifecycle. The Prisma Cloud Secrets module can be activated with a single click and is just one component of the industry's most comprehensive cloud-native application protection platform.

Identify secrets across the supply chain
Check for exposed secrets across repos like GitHub and registries such as Docker, Quay, Artifactory and others.
Prevent exposed secrets in runtime
Leverage holistic visibility from code to cloud and identify exposed secrets in running workloads and cloud resources with runtime policies.
Agentless Secrets Scanning
Search for secrets hidden within running and non-running workloads across all major cloud service providers such as AWS, GCP, Azure, and OCI without deploying agents.
Unparalleled Coverage
Conduct searches for secrets throughout the entire filesystem and wide range of secret types, including application keys, private keys, passwords, API tokens, configuration files, cloud keys, and credentials for all CSPs.