Secrets Auto-Remediation
Automatic Fix for Hard Coded Secrets
Xygeni helps you to automatically fix hardcoded secrets found in your files.
The basic action is to revoke the secret:
Upon a change pushed (or PR'd) to a repo in the SCM, the xygeni Secrets scanner will search for any hardcoded secret.
For every found secret, the scanner will verify it and, upon successful verification and enabled remediation, the scanner will revoke the secret on the end system through specific methods (API, commands, etc.).
Upon finishing the scan, the scanner will upload the results to Xygeni platform.

Xygeni Secrets scanner provides the --auto-remediate
flag. This flag will automatically try to revoke the secret according to its type.
For example, let's say that secret scanner finds a GitLab PAT into your project files. If the --auto-remediate flag is provided, the scanner will revoke the PAT into the GitLab instance.
xygeni secrets --auto-remediate [rest of flags ...]
Xygeni provides out-of-the box remediation playbooks for Slack, AWS access key, Google API Key and GitLab PAT (more will be coming shortly ..)
Auto-remediation is configured for the secrets scanner. If auto-remediation is enabled, --auto-remediation
will work. If it's not enabled, --auto-remediation
will not work.
# File: conf/xygeni.secrets.yml
# Is auto remediation enabled? If true or yes, --auto-remediate can be used to trigger auto remediation.
# Set to false if you want to disable auto remediation.
# This is useful if you want to remediate secrets manually, or only via web UI or automation workflow.
autoRemediationEnabled: yes
Last updated