How to protect your secrets with Spectral and JFrog Pipelines

How to protect your secrets with Spectral

Thousands of secrets leak daily on public git repositories, including over two million corporate secrets in 2020 alone.

This can happen to anyone! For example, in January 2021, an Amazon cloud engineer accidentally committed almost a gigabyte worth of sensitive data that included their own personal documents, as well as passwords and cryptographic keys to various AWS environments on his personal GitHub repository.

Another example is the SolarWinds breach, one of the biggest data breaches in recorded history which began with a poorly selected password exposed on a public GitHub server.

When we are developing an application we would like to do everything we can to protect our data and our code. We are humans and humans (usually) make mistakes, and when combining this with a lack of education on security best practices we can easily expose our secrets. Therefore, we may want to use a secret scanner to search for any sensitive information such as private keys, API secrets and tokens, etc.

Spectral (aka SpectralOps) offers secret scanning solutions that can easily integrate with JFrog Pipelines. It does so by looking at file names, extensions, and content, attempting to match them against a list of signatures. Spectral can monitor, classify, and protect your code, assets, and infrastructure for exposed API keys, tokens, credentials, and high-risk security misconfigurations in a simple way.

This blog post will go through the 3-steps on how to do this.

Step 1: Configure DSN in SpectralOps

First, we need to configure the DSN in JFrog Pipelines from the SpectralOps platform.

  • Click on Sources and select the Private and Public Repositories.
    Configure DSN in SpectralOps
  • Copy the SPECTRAL_DSN and save it for later. It should look like this:
    https://<Team Key>
  • In the JFrog Platform, go to Administration > Pipelines > Integrations and click Add an Integration.
  • Select Generic Integration and add the SPECTRAL_DSN you saved above.
    Configure DSN in SpectralOps

Step 2: Run your build

  - name: myScannedRepo
    type: GitRepo
      # Your JFrog integration with Github
      gitProvider: "integration_name"
      # Github repository
      path: "org-name/repository-name"
        include: main

  - name: Spectral
      - name: SpectralScan
        type: Bash
                - name: spectraldsn
                - name: myScannedRepo
            - cd dependencyState/resources/myScannedRepo
            - curl -L "$int_spectraldsn_SPECTRAL_DSN" | sh
            - $HOME/.spectral/spectral scan --dsn $int_spectraldsn_SPECTRAL_DSN

In case any secrets are found, the Spectral integration will fail your build.

*Note: If you don’t want to fail the build, use the flag scan –ok. For example: $HOME/.spectral/spectral scan –dsn $int_spectraldsn_SPECTRAL_DSN scan –ok

Run your build

Step 3: Review issues

Now we can get more information about the issues, in the SpectralOps platform, under the code tab.

Review issues

Now we can be rest assured that our secrets are safe, and there are no leaks in our git repositories.

See what other integrations are supported with JFrog Pipelines, and try it out for yourself!