Profile Applicability:
Level 2
Description:
Automated scanning tools must be integrated into build and deployment pipelines to detect and prevent sensitive data—such as credentials, API keys, tokens, or personal information—from being committed or stored in pipeline files and artifacts. These scanners help enforce security policies by identifying potential data leaks early in the development process.
Rationale:
Sensitive data exposure within pipelines can lead to severe security breaches and compliance violations. Automated scanning reduces human error, accelerates detection, and enforces secure coding and deployment practices, protecting organizational assets and sensitive information.
Impact:
Pros:
Prevents accidental exposure of sensitive data.
Enhances compliance with data protection regulations.
Supports secure development lifecycle practices.
Provides early detection and remediation capabilities.
Cons:
May produce false positives requiring manual review.
Requires integration and maintenance of scanning tools.
Default value:
Many pipelines lack automated sensitive data scanning by default, increasing risk of data leaks.
Audit:
Review pipeline configurations and logs to verify scanning tools are active and alerts are handled. Inspect incidents of detected sensitive data and remediation actions taken.
Remediation:
Integrate tools such as GitGuardian, TruffleHog, or custom regex scanners into CI/CD pipelines. Define policies for handling detected secrets. Train development teams on secure coding and data handling practices.
References:
GitGuardian Documentation: https://docs.gitguardian.com/
OWASP Secret Detection Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Secret_Detection_Cheat_Sheet.html
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/