Secrets Scanning
Secrets scan runs as part of SCA scan and detects hard-coded secrets like passwords, API keys, and tokens in git repos. The default rules used for secrets scanning can be found here​
To override the default secret rules
    Download the secrets config file locally
    Add/delete/update rules
    Set an environment variable called SECRET_RULES=/path/to/rules.toml
To run a full scan of your source code for secrets, include --no-git option to your SCA scan
1
cdefense scan --lang=java --api-key=<YOUR_API_KEY> \
2
--path=<path to your project> --project-name="My Java Project" --no-git
Copied!
1
--no-git (false, true) - Perform full scan for secrets
Copied!

What is Secret Scanning?

A segment covered by Tanya Janca, an AppSec celebrity best known for founding We Hack Purple. This video discusses what secret scanning is and why it's key.
1
https://www.youtube.com/watch?v=2wdRKbSKPjA
Copied!
Last modified 1mo ago
Copy link