ANNOUNCEMENT: Legit Secrets Detection & Prevention 2.0! Read more about all the new capabilities --> 

Blog Contact Us Sign In
Platform
Platform - ASPM Icon
Application Security Posture Management (ASPM)
Platform - Secrets Detection & Prevention
Secrets Detection & Prevention
Platform - Continuous Compliance and SBOM Icon
Continuous Compliance and SBOM
Platform - Software Supply Chain Security SSCS Icon
Software Supply Chain Security (SSCS)
Platform - AI Security Posture Management (AI-SPM) Icon
AI Security Posture Management (AI-SPM)
Platform - AppSec Vulnerability Management Icon
AppSec Vulnerability Management
Integrations
Why Legit
Why Legit - Customers Icon
Customers
Resources
header mobile nav icon
Resources
Resources - Blog Icon
Blog
Resources - Resource Library Icon
Resource Library
Resources - Open Source with Legitify Icon
Open Source w/ Legitify
Resources - Events Icon
Events
Company
Company - Partners Icon
Partners
Company - About Legit Icon 2
About Legit
Company - Press Releases Icon 1
Press Releases
Company - In the News Icon
In the News
Company - Careers Icon
Careers
  • Blog
  • Announcing Legit Secrets Detection & Prevention 2.0

Blog

Announcing Legit Secrets Detection & Prevention 2.0

Elad Namdar
Published on
December 19, 2024

Get details on Legit's new secrets capabilities.

Secrets – including API keys, access tokens, credentials, etc. – are critical to nearly every technology system today, including cloud platforms and AI platforms, among others. They are also what enables non-human identities (NHIs) – API, applications and other digital services –  to communicate and share data. 

However, because secrets are so omnipresent, they make ripe targets for threat actors seeking to access sensitive resources, including developers’ platforms. 

Secrets exposure has become a huge risk. It is one of the most common risks we unearth when we first partner with a company. In fact, our platform data last year revealed that 100% of organizations had high or critical exposed secrets in at least one repo. 53% had exposed secrets in public assets.  

And it’s not just a hypothetical risk. Recent breaches, such as those at Sisense and Toyota, were caused by secrets exposure.  

Large, growing, and exploitable, secrets exposure is also a very hard problem to solve. Most secrets scanners look for secrets in source code, but secrets are emerging well beyond source code, such as in ticketing & ITSM systems, artifact registries and shared workspaces such as Confluence, Jira, and Slack, or your developers’ personal GitHub accounts. In addition, most secrets scanners today return an overwhelming amount of false positives, making remediation challenging, if not impossible.   

Security teams across industries are struggling to get a handle on the number of secrets they have, where they are originating, which present the most risk, and how to stop the flow of new exposures. 

Enter Legit Secrets Detection & Prevention 2.0  

Legit delivers the industry’s most comprehensive and accurate secrets detection and prevention. Why? Because: 

  • Legit leverages its comprehensive ASPM capabilities to offer the most capable, enterprise-grade secrets detection & prevention solution, including asset discovery and risk-based prioritization. 
  • Legit delivers the broadest set of secrets detection capabilities on the market – spanning well beyond source code. 
  • Legit’s AI-powered secrets detection & prevention capabilities deliver the industry’s most accurate results.
  • Legit’s secrets CLI provides customers the most extensive prevention capabilities on the market.

With the release of Legit Detection & Prevention 2.0, our platform further provides a single, integrated view of all findings and recovery actions taken to remediate secrets across the entire SDLC, including those found within your developers’ personal GitHub repos.  

New Legit Secrets Dashboard      

Introducing the simplest, clearest way to gain a complete view of your secrets posture across all areas of your development environments.

 

Secrets dashboard - UPDATED

 

This new dashboard addresses security teams’ need for a central place to identify all detection & prevention activities associated with secrets, including: 

  • Secrets detected across the entire SDLC (beyond source code) 
  • Secrets detected and prioritized for remediation based on business risk 
  • Secrets prevented through guardrails and other preventative measures employed – to track effectiveness of controls 

Secrets visibility in new dashboard

The new Legit Secrets Dashboard gives teams unprecedented visibility into all activities related to secrets detection and prevention – in one place.

Issues burndown

 

burndown

This view gives teams the ability to: 

  • See how open secrets issues are trending 
  • Get insights into the growth or shrinking of the secrets backlog  
  • Measure how effective their AppSec program is  

New secrets detected 

 

new-secrets

With this view, teams see how many new secrets are being committed to their code each month. 

Attack surface

 

attack-surface-v2

With this view, teams see at a glance which assets are being monitored by the Legit platform for secrets detection. 

Issues breakdown -- by source

 

breakdown-source

With this view, teams get a top-level breakdown of secrets by source. 

Issues by committer

 

issue-committers

With this view, teams easily identify the top secrets committers. This data allows teams to quickly identify who to talk to solve issues, and those developers that need more education.  

Secrets Prioritization in New Legit Dashboard

Which secrets findings should you address first? The new Legit secrets dashboard offers a clear remediation roadmap. 

Top secrets issues

 

top-secrets

With this view, teams quickly see their most risky secrets exposures, based on Legit’s unique risk score capabilities and context. 

Top risky repositories & top risky product units 

 

top-repos-pus

With this view, teams quickly see the repositories and product units harboring the most secrets risk. This data helps teams identify the best place to start cleaning up their security debt.  

Preventions in New Legit Secrets Dashboard

 

Legit doesn’t just find secrets; it helps you fix and prevent them. And the new dashboard allows teams to see those prevention activities and progress at a glance. 

When teams integrate Legit into their pipelines, they prevent secrets from being committed to code and being leaked in the first place. 

secrets-prevention

With this view, teams see: 

  • How many repositories are being protected by Legit’s PR checks 
  • How many developers are using our CLI 
  • How many secrets are being blocked by our CLI 

Legit Discovery of Secrets in Personal GitHub Repos 

Legit Secrets Detection & Prevention ensures that developers using personal accounts alongside the enterprise GitHub platform don’t expose secrets. 

Developers often prefer to use personal GitHub repos, rather than corporate GitHub account, or use them by mistake. Developers frequently keep their personal accounts and mix operations with the corporate account, so key activities may fall outside of the enterprise’s security policies. For example: 

  • If a developer sets their repo to “public” – anyone on the Internet may access content (including secrets) that exist. 
  • Developers may lose track of secrets that were included in the repo – either inadvertently or intentionally. 
  • Developers can mix personal and corporate GitHub accounts – and leak enterprise code, IP and secrets 
  • Developers may hard-code secrets for convenience – even if corporate policies dictate otherwise. 
  • Developers may believe they’ve removed secrets – but these may survive forever in the personal Git history, even if their corporate account is removed. 

 scanning-sources

With Legit’s new ability to discover secrets in personal GitHub repos, teams will get: 

  • Secrets discovery – identify and monitor secrets that reside within a developers’ personal GitHub account, as well as the organization’s account 
  • Personal repo discovery – identify and build an inventory of all personal repos owned by the company’s developers 
  • Consolidated triage and remediation – integrate findings from both corporate and personal accounts into the Legit platform 

Learn More or Get a Free Trial 

Learn more about Legit’s secrets scanning capabilities, or, for a limited time, get a 2-week free trial to see first-hand the power of Legit secrets detection and prevention. 
Elad Namdar

Share this guide

Published on
December 19, 2024
Blog

Related posts

See more

A Foundation You Can Trust

Get a stronger AppSec foundation you can trust and prove it’s doing the job right.

Request a Demo