# Secrets Auto-Remediation

### Automatic Fix for Hard Coded Secrets <a href="#automatic-fix-for-open-source-vulnerabilities" id="automatic-fix-for-open-source-vulnerabilities"></a>

Xygeni helps you to automatically fix hardcoded secrets found in your files.

The basic action is to **revoke the secret:**

1. Upon a change pushed (or PR'd) to a repo in the SCM, the xygeni [Secrets scanner](https://docs.xygeni.io/xygeni-products/secrets-security/secrets-scanner) will search for any hardcoded secret.&#x20;
2. **For every found secret**, the scanner will [**verify** ](https://docs.xygeni.io/xygeni-products/secrets-scanner#secrets-verification)it  and, upon successful verification and enabled remediation, the scanner will **revoke** the secret on the end system through specific methods (API, commands, etc.).&#x20;
3. Upon finishing the scan, the scanner will **upload** the results to Xygeni platform.

<figure><img src="https://4096647782-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUTz59rJLkJBjiRWAMknU%2Fuploads%2FfFZARBZyCpRe5HyKYicJ%2Fimage.png?alt=media&#x26;token=677abef3-4222-4d78-84e2-cb43a49a25f3" alt="" width="488"><figcaption></figcaption></figure>

[Xygeni Secrets scanner](https://docs.xygeni.io/xygeni-products/secrets-security/secrets-scanner) provides the **`--auto-remediate`** flag. This flag will automatically try to revoke the secret according to its type.&#x20;

For example, let's say that secret scanner finds a GitLab PAT into your project files. If the --auto-remediate flag is provided, the scanner will revoke the PAT into the GitLab instance.&#x20;

```bash
xygeni secrets --auto-remediate [rest of flags ...]
```

Xygeni provides out-of-the box remediation playbooks for Slack, AWS access key, Google API Key and GitLab PAT (more will be coming shortly ..)

Auto-remediation is configured for the secrets scanner. If auto-remediation is enabled, **`--auto-remediation`** will work. If  it's not enabled, **`--auto-remediation`** will not work.&#x20;

{% hint style="info" %}
To enable/disable auto-remediation, you can do it setting the `autoRemediationEnabled` property in `conf/xygeni.secrets.yml`&#x20;
{% endhint %}

<pre class="language-properties"><code class="lang-properties"><strong># File: conf/xygeni.secrets.yml 
</strong><strong># Is auto remediation enabled? If true or yes, --auto-remediate can be used to trigger auto remediation.
</strong># Set to false if you want to disable auto remediation.
# This is useful if you want to remediate secrets manually, or only via web UI or automation workflow.
autoRemediationEnabled: yes
</code></pre>

{% hint style="info" %}
**Incident Severity**

After using **`--auto-remediate`** flag, the **severity** of those issues that have been successfully revoked is changed to **`Info`** and tagged as **`remediated`**&#x20;
{% endhint %}