You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Check for secrets in AWS CodeCommit repositories (including branches and commit history - a tool designed for git would be useful like trufflehog)
AWS Elastic Container Registry (ECR):
Images stored in ECR might contain secrets. Scanning Dockerfiles and image layers for secrets can be crucial. (Trivy could be good here)
AWS Lambda Layer Contents:
Lambda Layers are used to manage code and dependencies. Scanning the contents of these layers for secrets is as important as scanning the Lambda function code.
AWS Systems Manager State Manager:
State Manager documents might include scripts or commands that contain secrets.
AWS Batch Job Definitions:
Similar to ECS tasks, AWS Batch job definitions might include environment variables or command parameters that contain secrets.
Amazon SageMaker:
Notebooks and model training scripts in SageMaker can sometimes include embedded secrets.
AWS Amplify Console:
Check for secrets in Amplify app build settings and environment variables. (should be in environment secrets)
AWS Data Pipeline:
Data Pipeline definitions, especially the ones that contain custom scripts or SQL commands, could have embedded secrets.
AWS Glue Data Catalog:
Scanning AWS Glue Data Catalog for database connection details that might include hardcoded credentials.
Hi @Fennerr, all of them interesting ideas, but maybe we need to rethink a little bit our "secrets detection engine" ...
The detect-secrets package generates false positives and the current way of scanning generates a lot of resource exhaustion ...
This is true. Maybe move it to an optional flag and/or a config option to select what secrets you want to scan for
It would also be nice to generalize the way that secrets are scanned for so that stuff like writing to the temp files to disk, search for secrets, and using multiprocessing for this (as it's cpu intensive) can just be handled in one place.
New feature motivation
Similar to the secrets checks for the other services (lambda/ec2/ecs/etc), more checks can be implemented
Solution Proposed
Elastic Beanstalk:
API Gateway:
CodeBuild and CodePipeline:
Glue Jobs:
Step Functions:
AppSync:
This might not be all the API calls that need to be made to get the secrets, but should be a good starting point
Describe alternatives you've considered
None
Additional context
No response
The text was updated successfully, but these errors were encountered: