Abstract:GitGuardian monitored secrets exposure in public GitHub repositories and reported that developers leaked over 12 million secrets (database and other credentials) in 2023, indicating a 113% surge from 2021. Despite the availability of secret detection tools, developers ignore the tools' reported warnings because of false positives (25%-99%). However, each secret protects assets of different values accessible through asset identifiers (a DNS name and a public or private IP address). The asset information for a secret can aid developers in filtering false positives and prioritizing secret removal from the source code. However, existing secret detection tools do not provide the asset information, thus presenting difficulty to developers in filtering secrets only by looking at the secret value or finding the assets manually for each reported secret. The goal of our study is to aid software practitioners in prioritizing secrets removal by providing the assets information protected by the secrets through our novel static analysis tool. We present AssetHarvester, a static analysis tool to detect secret-asset pairs in a repository. Since the location of the asset can be distant from where the secret is defined, we investigated secret-asset co-location patterns and found four patterns. To identify the secret-asset pairs of the four patterns, we utilized three approaches (pattern matching, data flow analysis, and fast-approximation heuristics). We curated a benchmark of 1,791 secret-asset pairs of four database types extracted from 188 public GitHub repositories to evaluate the performance of AssetHarvester. AssetHarvester demonstrates precision of (97%), recall (90%), and F1-score (94%) in detecting secret-asset pairs. Our findings indicate that data flow analysis employed in AssetHarvester detects secret-asset pairs with 0% false positives and aids in improving recall of secret detection tools.

AssetHarvester: A Static Analysis Tool for Detecting Secret-Asset Pairs in Software Artifacts

A Comparative Study of Software Secrets Reporting by Secret Detection Tools

AutoPwn: Artifact-Assisted Heap Exploit Generation for CTF PWN Competitions

SecretBench: A Dataset of Software Secrets

Using AI/ML to Find and Remediate Enterprise Secrets in Code & Document Sharing Platforms

What are the Practices for Secret Management in Software Artifacts?

What Challenges Do Developers Face About Checked-in Secrets in Software Artifacts?

Automated Detection of Password Leakage from Public GitHub Repositories

Secret Breach Prevention in Software Issue Reports

Committed by Accident: Studying Prevention and Remediation Strategies Against Secret Leakage in Source Code Repositories

Identifying Non-Control Security-Critical Data through Program Dependence Learning

Mining Resource-Operation Knowledge to Support Resource Leak Detection

Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHub

On the Security Blind Spots of Software Composition Analysis

LLM-Assisted Static Analysis for Detecting Security Vulnerabilities

A Credential Usage Study: Flow-Aware Leakage Detection in Open-Source Projects

A Static Analysis Platform for Investigating Security Trends in Repositories

Tales from the Git: Automating the detection of secrets on code and assessing developers' passwords choices

Detecting Malicious Accounts in Online Developer Communities Using Deep Learning

Automated software vulnerability detection with machine learning

Hack Me If You Can: Aggregating AutoEncoders for Countering Persistent Access Threats Within Highly Imbalanced Data