Secrets
When analyzing your code with preZero, your results will include secrets, or hard-coded values (e.g., client secrets, username/password combinations) and sensitive information (e.g., phone numbers and addresses), and any other vulnerabilities identified.
Before proceeding, please ensure that you have set up and authenticated with Qwiet. Then, analyze your application to obtain information about any secrets present in your application.
Scanning for secrets
By default, Qwiet preZero looks for secrets present in:
- Your source code;
- All
*.propertiesfiles included.
You can modify the configuration file to change where Qwiet preZero looks for secrets.
Entropy
Qwiet preZero allows you to modify how the default analysis behaves, including how sensitive the analysis for hard-coded credentials is. This setting, called entropy, is a value between 0.0 and 1.0 (inclusive) and measures the analysis engine's certainty regarding the result. The default value is 0.0.
For example, the following table details the number of secrets identified in HelloShiftLeft based on the entropy value.
| Entropy | No. of secrets detected |
|---|---|
0.25 | 5 |
0.5 | 3 |
1.0 | 0 |
Viewing your results
The secrets that Qwiet identifies in your application will appear in the Vulnerabilities Dashboard.
To access your results:
- Log in to the Qwiet Dashboard and select the appropriate organization.
- In the list of Applications, find the one you're interested in and click to open.
You will see a summary page of all vulnerabilities identified by Qwiet, including secrets.
Click the Secrets tab to display a list of the issues identified.
You can filter the results based on:
- Its Status (which reflects any work that's been done by your team on the issue)
- Who it is Assigned to for further action
- One or more Advanced Filter, which allows you to specify the category (both general and OWASP) and the language of the code