GitGuardian today added a tool that makes it possible for DevOps teams to search GitHub repositories to determine if application secrets have inadvertently found their way into other applications.

Vikram Ghosh, chief growth officer for GitGuardian, said a HasMySecretLeaked toolset makes it possible to determine if developers have copied and pasted application secrets from one repository into another without permission.

The toolset is based on a private database that houses more than 20 million records of hashed secrets that have been found in public sources, including GitHub.com. Users can query the database by submitting a hashed version of their secret in the search console. The GitGuardian toolset will then search for perfect matches without revealing any other secrets or their locations, said Ghosh.

Alternatively, DevOps teams that have adopted the GitGuardian platform to protect secrets can use a command-line interface (CLI) exposed via a ggshield tool to launch queries. That tool also includes plug-ins for pulling secrets from tools such as HashiCorp Vault and AWS Secrets Manager and staging them in local environments to surface potential leaks. Eventually, HsMySecretLeaked will be extended to add support for additional repositories, noted Ghosh.

Collectively, those capabilities make it possible for organizations to audit how application secrets are being secured, he added.

The GitGuardian platform scans every public commit on GitHub for leaks, spanning API keys, database assignments and developer secrets. In 2022, GitGuardian found 10 million secrets that had been exposed.

Secrets management is, of course, getting more attention as more organizations review their software supply chain processes in the wake of a series of high-profile security breaches. It’s still early days as far as adopting DevSecOps best practices to secure those software supply chains, but it’s clear more responsibility for application security is being shifted left toward developers and the DevOps teams that support them.

The challenge is that many developers still hard-code secrets in plain text into applications to create shortcuts as software is developed. Unfortunately, many of them forget to remove those secrets before an application is deployed in a production environment. Once an application is deployed in a production environment, it may be months before anyone discovers there is an issue—if it’s discovered at all. In the meantime, cybercriminals have become more adept at using scanning tools to discover those secrets.

DevOps teams can reduce the number of applications that might have this issue by making it easier to discover secrets within applications before they are deployed. In the meantime, it’s only a matter of time before more stringent regulations require organizations to revisit the security of software supply chains. Countries around the world are debating legislation that would hold organizations much more accountable for the security of the applications they build and deploy.

Hopefully, DevOps teams will implement DevSecOps best practices to get in front of those issues before any fines are levied. But the challenge, as always, is ensuring application security without adversely impacting the rate at which software is currently being built.