A secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. It is often used to authenticate users or services to control access to sensitive information or external services. Secret management is an essential tool to help control and enforce the distribution of secrets across workloads. This section describes how to detect and prevent statically defined secrets that are deployed in Kubernetes environments.

Carbon Black Cloud secret management can help you detect and prevent static secrets that are injected into the workload. You can use a policy rule to detect and prevent secrets.

Note: Secrets detection is disabled by default. You can enable this feature when you create or edit a cluster. See Add a Cluster and Install the Kubernetes Sensor.

Data regarding secrets is available on the following pages in the Carbon Black Cloud console:

Roles

The following roles can use Carbon Black Cloud secret management.

DevOps and DevSecOps

  • Detect and prevent statically defined secrets in containers at the image build phase.
  • Inspect image information to help detect potential security or compliance violations.
  • Inspect workload information to help detect potential security compliance violations.
  • Deny workloads that use images with static secrets through policy to help enforce security and compliance.
  • Explore and mitigate static secret policy violations.
  • Include secrets in the existing explore, prioritize, and mitigate risk process.
  • Detect files that contain statically defined secrets.
  • Scan all deployed images for secrets.

DevOps and Developer

  • Inspect image information to help detect potential security compliance violations.
  • Explore and mitigate static secret policy violations.

Secret Detection

Secrets are detected in the following ways:

List of ways secrets are detected

Data Types

The following table provides an example of the captured secret data types.

Table 1. Example of Captured Secrets Data
Source Category Secret Type Secret Key Secret Value
/.aws FILE Keyword Detector aws_access_key_id JKSN...3E3Q
RUN /bin/sh -c eco hi --password "pddj...f837" # buildkit COMMAND Keyword Detector password pdhj...f837
azure LABEL Azure Storage Account access key azure abcd...uv==
GITHUB_KEY ENVIRONMENT_VARIABLE Github authentication GITHUB_KEY ghu_...UKpr

Secret Types

The following table lists the types of secrets that Carbon Black Cloud detects.

Azure Storage Account access key

JFrog Artifactory credentials

AWS Client ID

AWS Secret Key

Amazon Marketplace Web Service (MWS) Key

HTTP Bearer Authentication

URL with password

Github authentication

JSON Web Token

Mailchimp API Key

npm auth token

Private Key

Sendgrid API key

Slack token

Square authentication

Stripe API key

Twilio authentication