Secret Scanning¶
Overview¶
Secret scanners are a set of tools designed to detect secrets exposed in source code. ERP systems are often used to manage sensitive data and application integrations. So, it is critical to ensure that secrets are not exposed in X++ source code. You should be a clear remediation plan for when secrets enter your commit history.
Guidance¶
The table below outlines our findings about secret scanning tools.
| Tool | Notes | Detected Secrets | GitHub/Azure DevOps Support |
|---|---|---|---|
| GitHub secret scanning | GitHub secret scanning alerts is a free service on all public GitHub repositories. The service automatically generates alerts when patterns in your code match secrets used by many service providers. Push protection, a GitHub repository-level feature, will prevent commits with secrets without remediation or a documented exception. In our tests against the internal Hello World repository, Push Protection prevented a revoked PAT from entering the commit history. GitHub scanning alerts generated an alert when a revoked PAT existed within the commit history. GitHub's Push Protection is the only service-side scanning tool we tested which can prevent secrets from entering a repository's commit history. | PAT | GitHub |
| detect-secrets | This open-source tool has seen successfully used on multiple projects within Microsoft's ISE organization. | Basic credential, JSON web token | GitHub, Azure DevOps |
| TruffleHog | TruffleHog has a first-party GitHub action, which makes it easy to reference as part of a CI process. | None | GitHub, Azure DevOps |
| Gitleaks | Gitleaks is free for personal repositories, and requires a paid license for organization repositories. | High-entropy string, secret hash, JSON web token | GitHub, Azure DevOps |
| Microsoft Security DevOps | Microsoft Security DevOps (MSDO) is offered as a GitHub scanner and an Azure DevOps scanner. The default configuration of the GitHub scanner requires read and write workflow permissions to upload Sarif files to the repository's Security tab. Furthermore, the repository must be a public repository or sufficiently licensed private repository due to a dependency on GitHub's built-in code scanning feature. | None in GitHub. Basic credentials and PAT in Azure DevOps. | GitHub, Azure DevOps |