Secrets Auto-Remediation

Automatic Fix for Hard Coded Secrets

Xygeni helps you to automatically fix hardcoded secrets found in your files.

The basic action is to revoke the secret:

  1. Upon a change pushed (or PR'd) to a repo in the SCM, the xygeni Secrets scanner will search for any hardcoded secret.

  2. For every found secret, the scanner will verify it and, upon successful verification and enabled remediation, the scanner will revoke the secret on the end system through specific methods (API, commands, etc.).

  3. Upon finishing the scan, the scanner will upload the results to Xygeni platform.

Xygeni Secrets scanner provides the --auto-remediate flag. This flag will automatically try to revoke the secret according to its type.

For example, let's say that secret scanner finds a GitLab PAT into your project files. If the --auto-remediate flag is provided, the scanner will revoke the PAT into the GitLab instance.

xygeni secrets --auto-remediate [rest of flags ...]

Xygeni provides out-of-the box remediation playbooks for Slack, AWS access key, Google API Key and GitLab PAT (more will be coming shortly ..)

Auto-remediation is configured for the secrets scanner. If auto-remediation is enabled, --auto-remediation will work. If it's not enabled, --auto-remediation will not work.

To enable/disable auto-remediation, you can do it setting the autoRemediationEnabled property in conf/xygeni.secrets.yml

# File: conf/xygeni.secrets.yml 
# Is auto remediation enabled? If true or yes, --auto-remediate can be used to trigger auto remediation.
# Set to false if you want to disable auto remediation.
# This is useful if you want to remediate secrets manually, or only via web UI or automation workflow.
autoRemediationEnabled: yes

Incident Severity

After using --auto-remediate flag, the severity of those issues that have been successfully revoked is changed to Info and tagged as remediated

TBD (tokens needed)

Last updated