Committed by Accident: Studying Prevention and Remediation Strategies Against Secret Leakage in Source Code Repositories

by   Alexander Krause, et al.

Version control systems for source code, such as Git, are key tools in modern software development environments. Many developers use online services, such as GitHub or GitLab, for collaborative software development. While software projects often require code secrets to work, such as API keys or passwords, they need to be handled securely within the project. Previous research and news articles have illustrated that developers are blameworthy of committing code secrets, such as private encryption keys, passwords, or API keys, accidentally to public source code repositories. However, making secrets publicly available might have disastrous consequences, such as leaving systems vulnerable to attacks. In a mixed-methods study, we surveyed 109 developers and conducted 14 in-depth semi-structured interviews with developers which experienced secret leakage in the past. We find that 30.3 secret leakage in the past, and that developers are facing several challenges with secret leakage prevention and remediation. Based on our findings, we discuss challenges, e. g., estimating risks of leaked secrets, and needs of developers in remediating and preventing code secret leaks, e. g., low adoption requirements. We also give recommendations for developers and source code platform providers to reduce the risk of secret leakage.


Comment Generation for Source Code: State of the Art, Challenges and Opportunities

Researches have shown that most effort of today's software development i...

SecretBench: A Dataset of Software Secrets

According to GitGuardian's monitoring of public GitHub repositories, the...

What Challenges Do Developers Face About Checked-in Secrets in Software Artifacts?

Throughout 2021, GitGuardian's monitoring of public GitHub repositories ...

Sniffing for Codebase Secret Leaks with Known Production Secrets in Industry

Leaked secrets, such as passwords and API keys, in codebases were respon...

A Comparative Study of Software Secrets Reporting by Secret Detection Tools

Background: According to GitGuardian's monitoring of public GitHub repos...

Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact

Containerization allows bundling applications and their dependencies int...

Large-Scale-Exploit of GitHub Repository Metadata and Preventive Measures

When working with Git, a popular version-control system, email addresses...

Please sign up or login with your details

Forgot password? Click here to reset