Akeyless Security’s Post

🚨 Aqua Security has uncovered a significant risk in Git-based Source Code Management (SCM) systems like GitHub, GitLab, and Bitbucket. Deleted or updated secrets—like API tokens and credentials—can persist in these systems, creating "phantom secrets." 🚨 Why This Matters To You Even if developers overwrite or delete these secrets, they can remain accessible. This vulnerability has led to major exposures, notably in high-profile projects like Mozilla and Cisco Meraki. Here's the scoop: when developers commit hard-coded secrets in SCMs and then overwrite or delete them, these secrets can still persist in the repository versions. This makes them easy prey for malicious actors, especially in open-source projects or public repositories. The Scanner Shortfall Most secrets scanners today can't effectively scan these buried files. They typically use the git clone command to snapshot and scan repositories, missing some files deep in the file system. However, attackers who know what to look for can find them. The Takeaway Developers should never commit code with hard-coded secrets. Regularly rotate secrets and view secrets management as a full SDLC challenge. At Akeyless, we focus on making secrets management seamless and secure for developers from day one. Our solution not only secures your development lifecycle but also simplifies it and massively reduces costs by removing the burden of servers and maintenance. Protect your enterprise from the hidden risks of phantom secrets. Learn how Akeyless can help you secure your development lifecycle from start to finish like our Fortune 500 clients. Read this compelling research today. #DevOps #DevSecOps #GitHub #GitLab #Bitbucket

🚨 Aqua Security has uncovered a significant risk in Git-based Source Code Management (SCM) systems like GitHub, GitLab, and Bitbucket. Deleted or updated secrets—like API tokens and credentials—can persist in these systems, creating "phantom secrets." 🚨 Why This Matters To You Even if developers overwrite or delete these secrets, they can remain accessible. This vulnerability has led to major exposures, notably in high-profile projects like Mozilla and Cisco Meraki. Here's the scoop: when developers commit hard-coded secrets in SCMs and then overwrite or delete them, these secrets can still persist in the repository versions. This makes them easy prey for malicious actors, especially in open-source projects or public repositories. The Scanner Shortfall Most secrets scanners today can't effectively scan these buried files. They typically use the git clone command to snapshot and scan repositories, missing some files deep in the file system. However, attackers who know what to look for can find them. The Takeaway Developers should never commit code with hard-coded secrets. Regularly rotate secrets and view secrets management as a full SDLC challenge. At Akeyless, we focus on making secrets management seamless and secure for developers from day one. Our solution not only secures your development lifecycle but also simplifies it and massively reduces costs by removing the burden of servers and maintenance. Protect your enterprise from the hidden risks of phantom secrets. Learn how Akeyless can help you secure your development lifecycle from start to finish like our Fortune 500 clients. Read this compelling research today. #DevOps #DevSecOps #GitHub #GitLab #Bitbucket

🚨 Aqua Security has uncovered a significant risk in Git-based Source Code Management (SCM) systems like GitHub, GitLab, and Bitbucket. Deleted or updated secrets—like API tokens and credentials—can persist in these systems, creating "phantom secrets." 🚨 Why This Matters To You Even if developers overwrite or delete these secrets, they can remain accessible. This vulnerability has led to major exposures, notably in high-profile projects like Mozilla and Cisco Meraki. Here's the scoop: when developers commit hard-coded secrets in SCMs and then overwrite or delete them, these secrets can still persist in the repository versions. This makes them easy prey for malicious actors, especially in open-source projects or public repositories. The Scanner Shortfall Most secrets scanners today can't effectively scan these buried files. They typically use the git clone command to snapshot and scan repositories, missing some files deep in the file system. However, attackers who know what to look for can find them. The Takeaway Developers should never commit code with hard-coded secrets. Regularly rotate secrets and view secrets management as a full SDLC challenge. At Akeyless, we focus on making secrets management seamless and secure for developers from day one. Our solution not only secures your development lifecycle but also simplifies it and massively reduces costs by removing the burden of servers and maintenance. Protect your enterprise from the hidden risks of phantom secrets. Learn how Akeyless can help you secure your development lifecycle from start to finish like our Fortune 500 clients. Read this compelling research today. #DevOps #DevSecOps #GitHub #GitLab #Bitbucket

🚨 Aqua Security has uncovered a significant risk in Git-based Source Code Management (SCM) systems like GitHub, GitLab, and Bitbucket. Deleted or updated secrets—like API tokens and credentials—can persist in these systems, creating "phantom secrets." 🚨 Why This Matters To You Even if developers overwrite or delete these secrets, they can remain accessible. This vulnerability has led to major exposures, notably in high-profile projects like Mozilla and Cisco Meraki. Here's the scoop: when developers commit hard-coded secrets in SCMs and then overwrite or delete them, these secrets can still persist in the repository versions. This makes them easy prey for malicious actors, especially in open-source projects or public repositories. The Scanner Shortfall Most secrets scanners today can't effectively scan these buried files. They typically use the git clone command to snapshot and scan repositories, missing some files deep in the file system. However, attackers who know what to look for can find them. The Takeaway Developers should never commit code with hard-coded secrets. Regularly rotate secrets and view secrets management as a full SDLC challenge. At Akeyless, we focus on making secrets management seamless and secure for developers from day one. Our solution not only secures your development lifecycle but also simplifies it and massively reduces costs by removing the burden of servers and maintenance. Protect your enterprise from the hidden risks of phantom secrets. Learn how Akeyless can help you secure your development lifecycle from start to finish like our Fortune 500 clients. Read this compelling research today. #DevOps #DevSecOps #GitHub #GitLab #Bitbucket

🚨 Aqua Security has uncovered a significant risk in Git-based Source Code Management (SCM) systems like GitHub, GitLab, and Bitbucket. Deleted or updated secrets—like API tokens and credentials—can persist in these systems, creating "phantom secrets." 🚨 Why This Matters To You Even if developers overwrite or delete these secrets, they can remain accessible. This vulnerability has led to major exposures, notably in high-profile projects like Mozilla and Cisco Meraki. Here's the scoop: when developers commit hard-coded secrets in SCMs and then overwrite or delete them, these secrets can still persist in the repository versions. This makes them easy prey for malicious actors, especially in open-source projects or public repositories. The Scanner Shortfall Most secrets scanners today can't effectively scan these buried files. They typically use the git clone command to snapshot and scan repositories, missing some files deep in the file system. However, attackers who know what to look for can find them. The Takeaway Developers should never commit code with hard-coded secrets. Regularly rotate secrets and view secrets management as a full SDLC challenge. At Akeyless, we focus on making secrets management seamless and secure for developers from day one. Our solution not only secures your development lifecycle but also simplifies it and massively reduces costs by removing the burden of servers and maintenance. Protect your enterprise from the hidden risks of phantom secrets. Learn how Akeyless can help you secure your development lifecycle from start to finish like our Fortune 500 clients. Read this compelling research today. #DevOps #DevSecOps #GitHub #GitLab #Bitbucket

🚨 Aqua Security has uncovered a significant risk in Git-based Source Code Management (SCM) systems like GitHub, GitLab, and Bitbucket. Deleted or updated secrets—like API tokens and credentials—can persist in these systems, creating "phantom secrets." 🚨 Why This Matters To You Even if developers overwrite or delete these secrets, they can remain accessible. This vulnerability has led to major exposures, notably in high-profile projects like Mozilla and Cisco Meraki. Here's the scoop: when developers commit hard-coded secrets in SCMs and then overwrite or delete them, these secrets can still persist in the repository versions. This makes them easy prey for malicious actors, especially in open-source projects or public repositories. The Scanner Shortfall Most secrets scanners today can't effectively scan these buried files. They typically use the git clone command to snapshot and scan repositories, missing some files deep in the file system. However, attackers who know what to look for can find them. The Takeaway Developers should never commit code with hard-coded secrets. Regularly rotate secrets and view secrets management as a full SDLC challenge. At Akeyless, we focus on making secrets management seamless and secure for developers from day one. Our solution not only secures your development lifecycle but also simplifies it and massively reduces costs by removing the burden of servers and maintenance. Protect your enterprise from the hidden risks of phantom secrets. Learn how Akeyless can help you secure your development lifecycle from start to finish like our Fortune 500 clients. Read this compelling research today. #DevOps #DevSecOps #GitHub #GitLab #Bitbucket

Looking to advance your organization's security posture and assure compliance? Trying to determine if GitLab Ultimate or GitHub Advanced Security is the right fit? Look no further, GitLab is the most comprehensive AI-powered DevSecOps platform, enabling organizations to deliver more secure software faster with one platform for your entire software delivery lifecycle. GitHub provides an Advanced Security add-on, which enables additional security features within GitHub. However, it lacks the depth and breadth of security and governance features provided natively by GitLab. Organizations looking to enhance their security posture across all areas of the SDLC can use this guide to compare the two offerings and as a tutorial to move to the GitLab platform: https://lnkd.in/gqwuZ-UP

Struggling with Advanced Security at scale? You aren’t alone. Check out the latest blog from Fern about migrating your compliant workflow. GitLab’s secure-by-design approach allows you to create and enforce secure workflows as code.

Are you looking to make the move to GitLab Ultimate so you can enhance security across all areas of the SDLC? 🔒 Then this tutorial from Fernando Diaz is for you. Read more ⬇️

Are you looking to make the move to GitLab Ultimate so you can enhance security across all areas of the SDLC? 🔒 Then this tutorial from Fernando Diaz is for you. Read more ⬇️