-
ggshield
Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
First up is the leaked TLS private key. Poor Corp added their wildcard certificate to their GitLab image, but they didn’t consider that anyone could steal the private key from the Docker image once published on Docker Hub. Rather than adding sensitive files and hardcoded environment variables to their containers while they were being built, Poor Corp should have used runtime environment variables and mounted volumes to pass secrets into the container—by the way, ggshield, the secrets detection CLI from GitGuardian, has a command for scanning Docker images. If you find that you’ve also made this mistake, you need to immediately revoke any certificates or credentials that were exposed.
Related posts
-
Infrastructure as Code Security [Security Zines]
-
How To Use ggshield To Avoid Hardcoded Secrets [cheat sheet included]
-
How to make security policies a team effort
-
How To Setup Your Jenkins Pipeline with GitGuardian in Kubernetes
-
Secrets: A command-line tool to prevent committing secret keys into your source