You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/detect-exposed-secrets.md
+12-15Lines changed: 12 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,11 +45,11 @@ You can run secret scanning as part of the Azure DevOps build process by using t
45
45
46
46
1. Select **Save**.
47
47
48
-
By adding the additions to your yaml file, you will ensure that secret scanning only runs when you execute a build to your Azure DevOps pipeline.
48
+
By adding the additions to your yaml file, you'll ensure that secret scanning only runs when you execute a build to your Azure DevOps pipeline.
49
49
50
50
## Remediate secrets findings
51
51
52
-
When credential are discovered in your code, you can remove them. Instead you can use an alternative method that will not expose the secrets directly in your source code. Some of the best practices that exist to handle this type of situation include:
52
+
When credentials are discovered in your code, you can remove them. Instead you can use an alternative method that won't expose the secrets directly in your source code. Some of the best practices that exists to handle this type of situation include:
53
53
54
54
- Eliminating the use of credentials (if possible).
55
55
@@ -68,11 +68,11 @@ When credential are discovered in your code, you can remove them. Instead you ca
68
68
- [Azure Key Vault for App Service application](../key-vault/general/tutorial-net-create-vault-azure-web-app.md)
69
69
- [Azure Key Vault for applications deployed to a VM](../key-vault/general/tutorial-net-virtual-machine.md)
70
70
71
-
Once you have remediated findings you can review the [Best practices for using Azure Key Vault](../key-vault/general/best-practices.md).
71
+
Once you have remediated findings, you can review the [Best practices for using Azure Key Vault](../key-vault/general/best-practices.md).
72
72
73
73
**To remediate secrets findings using managed identities**:
74
74
75
-
Before you can remediate secrets findings using managed identities, you need to ensure that the Azure resource you are authenticating to in your code supports managed identities. You can check the full list of [Azure services that can use managed identities to access other services](../active-directory/managed-identities-azure-resources/managed-identities-status.md).
75
+
Before you can remediate secrets findings using managed identities, you need to ensure that the Azure resource you're authenticating to in your code supports managed identities. You can check the full list of [Azure services that can use managed identities to access other services](../active-directory/managed-identities-azure-resources/managed-identities-status.md).
76
76
77
77
If your Azure service is listed, you can [manage your identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
78
78
@@ -85,24 +85,24 @@ Some reasons to suppress false positives include:
85
85
86
86
- Fake or mocked credentials in the test files. These credentials can't access resources.
87
87
88
-
- Placeholder strings. For example, placeholder strings may be used to initialize a variable which is then populated using a secret store such as AKV.
88
+
- Placeholder strings. For example, placeholder strings may be used to initialize a variable, which is then populated using a secret store such as AKV.
89
89
90
-
- External library or SDKs that are directly consumed. For example, openssl.
90
+
- External library or SDKs that 's directly consumed. For example, openssl.
91
91
92
-
- THard-coded credentials for an ephemeral test resource that only exists for the lifetime of the test being run.
92
+
- Hard-coded credentials for an ephemeral test resource that only exists for the lifetime of the test being run.
93
93
94
94
- Self-signed certificates that are used locally and not used as a root. For example, they may be used when running localhost to allow HTTPS.
95
95
96
96
- Source-controlled documentation with non-functional credential for illustration purposes only
97
97
98
-
- Invalid results. The output is not a credential or a secret.
98
+
- Invalid results. The output isn't a credential or a secret.
99
99
100
100
You may want to suppress fake secrets in unit tests or mock paths, or inaccurate results. We don't recommend using suppression to suppress test credentials. Test credentials can still pose a security risk and should be securely stored.
101
101
102
102
> [!NOTE]
103
103
> Valid inline suppression syntax depends on the language, data format and CredScan version you are using.
104
104
105
-
Credentials that are used for test resources and environments shouldn't be suppressed. They are being used to demonstration purposes only and do not affect anything else.
105
+
Credentials that are used for test resources and environments shouldn't be suppressed. They're being used to demonstration purposes only and don't affect anything else.
| CSCAN-GH0010 | GitHub Personal Access Token | pat=ghp_abcdefghijklmnopqrstuvwxyzABCD012345 <br> pat=v1.abcdef0123456789abcdef0123456789abcdef01 <br> https://user:[email protected]|[Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)|
251
251
| CSCAN-GOOG0010 | Google API key | apiKey=AIzaefgh0123456789_-ABCDEFGHIJKLMNOPQRS; |[Authenticate using API keys](https://cloud.google.com/docs/authentication/api-keys)|
252
252
| CSCAN-MSFT0100 | Microsoft Bing Maps Key | bingMapsKey=abcdefghijklmnopqrstuvwxyz0123456789-_ABCDEabcdefghijklmnopqrstu <br>...bing.com/api/maps/...key=abcdefghijklmnopqrstuvwxyz0123456789-_ABCDEabcdefghijklmnopqrstu <br>...dev.virtualearth.net/...key=abcdefghijklmnopqrstuvwxyz0123456789-_ABCDEabcdefghijklmnopqrstu |[Getting a Bing Maps Key](/bingmaps/getting-started/bing-maps-dev-center-help/getting-a-bing-maps-key)|
+ Learn how to [configure pull request annotations](enable-pull-request-annotations.md) in Defender for Cloud to remediate secrets in code before they are shipped to production.
256
+
257
+
- Learn how to [configure pull request annotations](enable-pull-request-annotations.md) in Defender for Cloud to remediate secrets in code before they're shipped to production.
0 commit comments