Code Secret Scanning

Overview

Mend SAST Secret Scanning provides a comprehensive security overview, by introducing the capability to:
1) Scan both source code and configuration files to detect exposed credentials, based on patterns.
2) View the results alongside standard SAST results.

Configuration Files

Below is a list of some of the more prominent configuration files scanned for exposed credentials.

• JSON

• XML

• .properties

• .yaml

• .config

Getting it done

Secret Scanning as part of a Regular SAST Scan

To add secret detection to your regular SAST scan, enable the --secrets-detection command line parameter in addition to the regular mend code command in the Mend CLI.

When unspecified, secret scanning as part of your SAST scan is disabled.

Note: This mode is also supported in the Developer Platform and Mend for GitHub.com.

Here’s what a SAST scan with secrets detection enabled would look like in the terminal:

Viewing Results

The results of the secret scanning will appear in the platform UI alongside other Code findings.

They will be differentiated from other code findings by the value “Secrets” in the Language column.

Noteworthy values of secret scanning findings:

1. CWE Name - 2 possible values:

A. Hardcoded Password/Credentials (CWE-798)

B. Secret in Configuration File (CWE-260)

2. Severity - Always Medium.

3. Sink - The type of secret detected, e.g., Postman API Token, AWS Access Key ID, etc.

4. Language - “Secrets”.

Clicking anywhere on a row of a detected secret will spawn a drawer with more in-depth information about the secret:

Note:

• All secret findings are labelled as ‘Medium’ severity.

• Mend.io does not anonymize detected secrets.

Automation Workflows around Secret Detection

You can create Automation Workflows around secret detection to trigger policy violations and fail builds, in a similar fashion to every other Code finding.

Visit the Automation Workflows documentation for more details.