Page 73 - Cyber Defense eMagazine February 2024
P. 73
There are multiple tools that will let you automate the scanning process, such as ggshield, which you can
use in a pre-commit Git hook. Aside from just finding the secret, any good scanner will also provide
information such as type, number of occurrences, and if the secret is valid.
*PyPI secrets sprawl is solvable
Unique secrets added over time
The research ultimately reveals the disturbing trend that the number of secrets being added to PyPI is
growing steadily over time. In the last year alone, the research shows over 1,000 unique secrets have
been added via new projects and commits on PyPI. While this might sound discouraging, this is a
challenge we believe can be addressed through raising awareness, education and ever-improving
developer tooling. We hope the findings of this report help you with raising the issue within your
organizations and projects.
The Python community continues to innovate and work to make all developers' lives better. Donating
useful code back to the community is something we hope to see more people do, but we want to see it
done safely. GitGuardian can help you work safely and keep your projects free of secrets. The
GitGuardian Secrets Detection platform is free for open source contributions and teams with 25 or fewer
developers. We want to make sure your shared code contains only the intended logic and not your valid
secrets.
> Hear directly from Tom Forbes about his PyPI research in his appearance on The Security Repo
Podcast.
EMBED: https://www.youtube.com/watch?v=AhH0aGFPoO4
Cyber Defense eMagazine – February 2024 Edition 73
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
