Profile Applicability:
Level 1

Description:
Automated or manual scanners should be used to detect the presence of sensitive data—such as passwords, API keys, tokens, or confidential information—in deployment configuration files, including Infrastructure as Code (IaC) templates, Kubernetes manifests, and deployment scripts. Preventing sensitive data exposure in configurations reduces the risk of credential leaks and unauthorized access.

Rationale:
Deployment configurations often contain critical details used during provisioning and deployment. Embedding sensitive data in these files increases the attack surface and may lead to data breaches if the files are exposed or committed to version control. Scanning helps identify and mitigate such risks early in the deployment lifecycle.

Impact:
Pros:

  • Reduces the risk of accidental exposure of sensitive credentials or secrets.

  • Enhances compliance with data protection policies and regulations.

  • Improves overall security posture by enforcing best practices.

Cons:

  • Requires setup and maintenance of scanning tools and processes.

  • May generate false positives requiring manual review.

Default value:
Sensitive data may be inadvertently included in deployment configurations without detection.

Audit:
Review scanning logs and reports for findings of sensitive data in deployment files. Verify remediation actions taken to remove or secure detected secrets.

Remediation:
Integrate secret detection scanners into CI/CD pipelines and code repositories. Educate developers on secure handling of secrets using vaults or environment variables. Establish policies prohibiting hardcoded sensitive data in deployment configurations.

References:

  1. GitGuardian – Secret Scanning: https://www.gitguardian.com/

  2. HashiCorp Vault Best Practices: https://learn.hashicorp.com/collections/vault/secrets-management

  3. CIS Controls v8, Control 3 – Data Protection: https://www.cisecurity.org/controls/data-protection/

  4. OWASP Secrets Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html