Secrets Auto-Remediation
Automatic Fix for Hard Coded Secrets
Xygeni helps you to automatically fix hardcoded secrets found in your files.
The basic action is to revoke the secret:
Upon a change pushed (or PR'd) to a repo in the SCM, the xygeni Secrets scanner will search for any hardcoded secret.
For every found secret, the scanner will verify it and, upon successful verification and enabled remediation, the scanner will revoke the secret on the end system through specific methods (API, commands, etc.).
Upon finishing the scan, the scanner will upload the results to Xygeni platform.
Xygeni Secrets scanner provides the --auto-remediate
flag. This flag will automatically try to revoke the secret according to its type.
For example, let's say that secret scanner finds a GitLab PAT into your project files. If the --auto-remediate flag is provided, the scanner will revoke the PAT into the GitLab instance.
Xygeni provides out-of-the box remediation playbooks for Slack, AWS access key, Google API Key and GitLab PAT (more will be coming shortly ..)
Auto-remediation is configured for the secrets scanner. If auto-remediation is enabled, --auto-remediation
will work. If it's not enabled, --auto-remediation
will not work.
To enable/disable auto-remediation, you can do it setting the autoRemediationEnabled
property in conf/xygeni.secrets.yml
Incident Severity
After using --auto-remediate
flag, the severity of those issues that have been successfully revoked is changed to Info
and tagged as remediated
TBD (tokens needed)
Last updated