Secrets can grant access to data, impact production operations, access third party systems down the software supply chain, and introduce a reputational risk. They can be found in source code, production and CI/CD logs, Docker images, Slack channels, or even on a random shared file. Given how powerful secrets are, it is critical that developer security tools provide secret detection for free across public and private repos, regardless of how many developers are in the company.
The good thing about secrets scanning is that has become a commodity. Popular open-source initiatives, such as GitLeaks, Git-Secrets and Detect-Secrets, have become embedded in the development lifecycle as a required Pull Request check prior merging code and kicking off CI/CD pipelines.
The bad thing about these scanners is that most of them introduce a tremendous volume of false positives, which results in alert fatigue for anyone responsible for reviewing them.
The ugly is that secrets scanning needs to be individually integrated into each repository. Any configuration drift or newly created repositories require manual adjustment. Commercial tools can ease the process by acting as an app to make it an easy-button solution, but the scanning is limited to public repositories only..
The problem with most security and monitoring tools is that companies charge you for visibility in a “single pane of glass” but don’t actually address the risks you face or reduce your total cost of ownership (TCO) across your developer tool stack.
At Arnica, we are taking a different approach. Visibility is free! Free forever for everyone and for every deterministic piece of code we run whether you are identifying secrets on public or private repositories, observing excessive permissions to source code, or even identifying which repository branches have misconfigured CODEOWNERS.