Search

Secrets Security

A full-stack, multidimensional approach to finding and securing exposed and vulnerable secrets across all files in your repositories and CI/CD pipelines.
Request a free trial
secrets-gitlab
secrets-projects

Developers use secrets to enable their applications to securely communicate with other cloud services. Storing secrets in a file in version control systems (VCS) like GitHub is not secure, creating potential vulnerabilities that can be exploited. This often happens when developers leave their secrets in the source code. Once a secret is committed into a repo, it is saved in its history, and any user can easily access those keys. This is especially risky if the repo contents are made public, making that resource easily found and utilized by threat actors.

Most tools only selectively scan for secrets at just one phase of the application lifecycle and can miss certain types of secrets altogether. Prisma® Cloud can ensure no secret is accidentally exposed while minimizing false positives and maintaining development velocity.

Hard-coded secrets are common for cloud-native development.

Hardcoded credentials are easier for developers to use and access but are not a best practice. It’s especially dangerous in matrixed development organizations and within cloud-based repos. Unfortunately, they are commonplace, with over 41% of repos containing secrets.

Public exposure amplifies risk.

Secrets can often be exposed in public repositories in your VCS or registry. Additionally, any secret added directly to source code, IaC, CI/CD configuration files, etc. may be visible in a VCS or can be accidentally exposed in build logs.

Siloed tooling causes coverage gaps.

Standalone secrets scanners often lack consistent coverage across both build and runtime. Without being embedded into a broader CNAPP strategy, organizations are left with an incomplete picture of risk.

Prisma Cloud makes it seamless for developers to prevent exposed secrets in build and runtime.

By integrating into DevOps tools and across code, build, deploy, and runtime, Prisma Cloud continuously scans for exposed secrets across the entire development lifecycle. With a powerful multidimensional approach that combines both a signature-based policy library and a fine-tuned entropy model, Prisma Cloud identifies secrets in nearly any file type, from IaC templates, golden images, and Git repositories.
  • Multiple detection methods identify complex secrets like random strings or passwords.
  • Risk factors provide context for secrets to streamline prioritization and remediation.
  • Natively integrated into developer tools and workflows.
  • 100+ signature library.
    100+ signature library.
  • Fine-tuned entropy model.
    Fine-tuned entropy model.
  • Supply chain visualization.
    Supply chain visualization.
  • Broad coverage.
    Broad coverage.
  • Detection pre-commit in VCS and CI pipelines.
    Detection pre-commit in VCS and CI pipelines.
  • Detection in running workloads and apps.
    Detection in running workloads and apps.
The Prisma Cloud Solution

A Developer-First, Multidimensional Approach to Secrets Security

Precise detection

Secrets using regular expressions (access tokens, API keys, encryption keys, OAuth tokens, certificates, etc.) are the most commonly identified. Prisma Cloud leverages over 100 signatures to detect and alert on the wide array of secrets with known, predictable expressions.

  • Vast coverage

    100+ domain-specific secret detectors ensure precise alerting in both build and runtime.

  • Broad and deep scanning

    Scan for secrets in all files in your repositories and the version histories across your integrations.

Precise detection

Fine-tuned entropy model

Not all secrets are consistent or identifiable patterns. For example, random string usernames and passwords wouldn't be detected by signature based methods because they're random, potentially leaving “keys to the kingdom” exposed and publicly accessible. Prisma Cloud augments signature-based detection with a fine-tuned entropy model.

  • Fine-tuned entropy model

    Eliminate false positives with a fine-tuned entropy model that leverages string context to precisely identify complex secret types.

  • Unrivaled visibility

    Gain comprehensive visibility and control across the vast landscape of secrets used by cloud developers.

Fine-tuned entropy model

Developer feedback

Developers can analyze risks associated with exposed or vulnerable secrets in a few different ways:

  • Projects

    Native integrations in dev workflows and seamlessly surface detected secrets within a file that is non-compliant.

  • Supply chain

    The Supply Chain Graph displays the source code file nodes. A detailed investigation into the dependency tree helps developers identify the root cause of secret exposure.

  • Pull request comments

    Users can spot potentially leaked secrets as part of their pull request scans, which can be easily removed.

  • Pre-Commit hooks and CI integrations

    Leverage the pre-commit hook to block secrets from being pushed to a repository before a pull request is opened.

Developer feedback

Part of the CNAPP

The only way to ensure complete coverage when securing cloud-native applications is to embed secrets scanning at each layer and step of the development lifecycle. The Prisma Cloud Secrets module can be activated with a single click and is just one component of the industry's most comprehensive cloud-native application protection platform.

  • Identify secrets across the supply chain

    Check for exposed secrets across repos like GitHub and registries such as Docker, Quay, Artifactory and others.

  • Prevent exposed secrets in runtime

    Leverage holistic visibility from Code to CloudTM and identify exposed secrets in running workloads and cloud resources with runtime policies.

  • Agentless Secrets Scanning

    Search for secrets hidden within running and non-running workloads across all major cloud service providers such as AWS, GCP, Azure, and OCI without deploying agents.

  • Unparalleled Coverage

    Conduct searches for secrets throughout the entire filesystem and wide range of secret types, including application keys, private keys, passwords, API tokens, configuration files, cloud keys, and credentials for all CSPs.

Part of the CNAPP

Code Security modules

INFRASTRUCTURE AS CODE SECURITY

Automated IaC security embedded in developer workflows

Learn more

SOFTWARE COMPOSITION ANALYSIS (SCA)

Context-aware open source security and license compliance

Learn more

CI/CD SECURITY

Graph-based CI/CD security for application development environments

Learn more

SECRETS SECURITY

Full-stack, multidimensional secrets scanning across repos and pipelines.

Learn more
Featured Resources

Valuable Code Security documents

See all resources
DATASHEET

Secrets Security

Download
WHITEPAPER

Secrets Security Checklist

Download
ANALYST REPORT

GigaOm Radar for Developer Security Tools

Download
ON-DEMAND WEBINAR

Product Deep Dive: Secrets Security

Watch now
DATASHEET

Code Security

Download

Customer Stories

Hear how Pokemon, Sabre and ElevenPaths take advantage of Prisma Cloud's full lifecycle security and full stack protection.

Cloud security basics

Learn about DevSecOp trends and get practical tips from developers, industry leaders and security professionals.

The latest from our blog

Start with a piece that focuses on container security with Kubernetes cluster awareness, then dive into the rest.

Get the latest news, invites to events, and threat alerts