Secrets v2
When analyzing your code with preZero, your results will include secrets, or hard-coded values (e.g., client secrets, username/password combinations) and sensitive information (e.g., phone numbers and addresses), and any other vulnerabilities identified.
Before proceeding, please ensure that you have set up and authenticated with Qwiet. Then, analyze your application to obtain information about any secrets present in your application.
Scanning for secrets
Secrets scanning can be turned on for all applications on the organization settings page. The setting is called "Client-Side Secrets".
By default, Qwiet preZero looks for secrets present in checked-in files in the source repository of the project. Any data added during the build process will not be scanned.
In particular, files containing secrets that get added to Java's JAR/WAR/EAR files will only be considered as long as they're checked into the repository and contain the secrets prior to the build process starting. Any sort of interpolation of build time variables into resource files is not supported with secrets scanning.
There are several environment variables which may be used to customize the behaviour of the scanning process:
| Parameters | Description |
|---|---|
QWIET_EXTERNAL_SECRETS_ALL_FILES | Scan all files in the project directory instead of just checked-in files. |
QWIET_EXTERNAL_SECRETS_MAX_CORES | Maximum number of CPU cores to be used for scanning secrets, defaults to 2. |
QWIET_EXTERNAL_SECRETS_BASE64_LIMIT | Entropy limit for high entropy strings. This value must be between 0.0 and 8.0, defaults to 4.5. |
QWIET_EXTERNAL_SECRETS_HEX_LIMIT | Entropy limit for high entropy strings. This value must be between 0.0 and 8.0, defaults to 3.0. |
QWIET_EXTERNAL_SECRETS_EXCLUDE_FILES | Regular expression for which filenames to exclude from the analysis. E.g. \.txt would exclude all .txt files. |
QWIET_EXTERNAL_SECRETS_EXCLUDE_SECRETS | Regular expression for which secrets to exclude from the results. E.g. ^...$ would exclude all three-letter secrets. |
Viewing your results
The secrets that Qwiet identifies in your application will appear in the Vulnerabilities Dashboard.
To access your results:
- Log in to the Qwiet Dashboard and select the appropriate organization.
- In the list of Applications, find the one you're interested in and click to open.
You will see a summary page of all vulnerabilities identified by Qwiet, including secrets.
Click the Findings tab to display a list of the issues identified. You can also uncheck other findings types and filter the list down to just secrets.
You can also filter the results based on:
- Its Status (which reflects any work that's been done by your team on the issue)
- Who it is Assigned to for further action
- One or more Advanced Filter, which allows you to specify the category (both general and OWASP) and the language of the code