Blog Home

How to protect your secrets with Spectral and JFrog Pipelines

Batel Zohar

ByBatel Zohar

4min read

How to protect your secrets with Spectral

Thousands of secretsleak dailyon public git repositories, including overtwo million corporate secrets in 2020alone.

This can happen to anyone! For example, in January 2021, an Amazon cloud engineer accidentally committed almosta gigabyte worth of sensitive datathat included their own personal documents, as well as passwords and cryptographic keys to various AWS environments on his personal GitHub repository.

Another example is theSolarWinds breach, one of thebiggest data breaches in recorded historywhich began with a poorly selected password exposed on a public GitHub server.

When we are developing an application we would like to do everything we can to protect our data and our code. We are humans and humans (usually) make mistakes, and when combining this with a lack of education on security best practices we can easily expose our secrets. Therefore, we may want to use a secret scanner to search for any sensitive information such as private keys, API secrets and tokens, etc.

Spectral(aka SpectralOps) offers secret scanning solutions that can easily integrate withJFrog Pipelines. It does so by looking at file names, extensions, and content, attempting to match them against a list of signatures. Spectral can monitor, classify, and protect your code, assets, and infrastructure for exposed API keys, tokens, credentials, and high-risk security misconfigurations in a simple way.

This blog post will go through the 3-steps on how to do this.

Step 1: Configure DSN in SpectralOps

First, we need to configure the DSN in JFrog Pipelines from the SpectralOps platform.

  • Click onSourcesand select thePrivateandPublic Repositories.
    Configure DSN in SpectralOps
  • Copy the SPECTRAL_DSN and save it for later. It should look like this:
    https://@get.spectralops.io
  • In the JFrog Platform, go toAdministration>Pipelines>Integrationsand clickAdd an Integration.
  • Select Generic Integration and add the SPECTRAL_DSN you saved above.
    Configure DSN in SpectralOps

Step 2: Run your build

resources: - name: myScannedRepo type: GitRepo configuration: # Your JFrog integration with Github gitProvider: "integration_name" # Github repository path: "org-name/repository-name" branches: include: main pipelines: - name: Spectral steps: - name: SpectralScan type: Bash configuration: integrations: - name: spectraldsn inputResources: - name: myScannedRepo execution: onExecute: - cd dependencyState/resources/myScannedRepo - curl -L "https://get.spectralops.io/latest/x/sh?dsn=$int_spectraldsn_SPECTRAL_DSN" | sh - $HOME/.spectral/spectral scan --dsn $int_spectraldsn_SPECTRAL_DSN

In case any secrets are found, the Spectral integration will fail your build.

*Note: If you don’t want to fail the build, use the flagscan –ok. For example:$HOME/.spectral/spectral scan –dsn $int_spectraldsn_SPECTRAL_DSN scan –ok

Run your build

Step 3: Review issues

Now we can get more information about the issues, in the SpectralOps platform, under the code tab.

Review issues

Now we can be rest assured that our secrets are safe, and there are no leaks in our git repositories.

See whatother integrations are supported with JFrog Pipelines, andtry it out for yourself!

Popular Tags

Try the JFrog Platform

In the cloud or self-hosted

Start Free

orBook a Demo