Aqua Security’s new research reveals a troubling issue in Git-based Source Code Management (SCM) systems: code containing secrets remains accessible even after deletion. These so-called ‘phantom’ secrets, such as passwords, tokens, and passkeys, continue to be exposed despite removal, primarily because conventional scanning methods often fail to detect them. Aqua’s study highlights that approximately 18% of potentially exposed secrets are missed by typical scanners, which only check repositories accessible via the Git clone command.
In their investigation, Aqua analyzed over 50,000 repositories from top organizations on GitHub and discovered significant security flaws. Among these were API tokens and other sensitive data found in public repositories, including Mozilla’s, which granted access to internal tools and systems. This data could lead to severe security breaches, such as unauthorized access to cloud environments, internal project infrastructure, and telemetry platforms.
Aqua’s findings also revealed exposed Meraki API tokens from Fortune 500 companies and an Azure service principal token from a large healthcare provider. These tokens had high privileges and could be used to access critical systems and perform malicious actions, such as supply chain attacks. The persistence of these secrets in repositories underscores the risks associated with hardcoded credentials and inadequate scanning tools.
To address these risks, Aqua advises developers to avoid hardcoding secrets in code and to consider any exposed secrets as compromised. Security best practices include rotating compromised secrets immediately and removing them from public repositories. Despite advancements in secrets scanning tools, the issue remains prevalent, emphasizing the need for continuous vigilance and robust security practices throughout the software development lifecycle.
Reference: