Badsecrets

What is this?

This report identifies detected weak or known cryptographic secrets(keys, signing secrets, etc) across many web frameworks and contexts.

How can this happen?

Cryptographic secrets can sometimes inadvertently make their way into production code, this can occur in a number of ways such as but not limited to.

• Code reuse
• Copying code from online sources
• Cloning or Forking repositories with example configurations
• Using example code from official documentation for testing purposes and and then not replacing it in production.

What should I do?

1. These known “bad” secrets should not be in use. If you receive an alert from us, make sure to replace these known “secrets” with secure values in your applications, but also investigate the platform for evidence of potential earlier misuse/compromise.
2. Review your processes regarding code reuse.
3. Implement CI/CD piplines that include checks for known or weak cryptographic secrets before publishing.

Further Reading

https://blog.blacklanternsecurity.com/p/introducing-badsecrets
https://www.shadowserver.org/what-we-do/network-reporting/badsecrets-report/