secret scanner in Azure DevOps repo

Question

Can you recommend an efficient scanner for secrets in code in an Azure DevOps repo and pipelines? Would like to be able to scan locally on a commit or before a push is accepted and also to scan repos and pipelines regularly. But, are open for suggestion on how to scan for secrets in the other ways.

Answer 1

You can check the secret scanners mentioned in this blog.

For example the Git Secrets released by AWS Labs. You can install it on you local machine to scan your local commit and non-fast-forward merges. See --install command

To use Git Secrets in azure pipeline to scan azure devops repos. You can check out below steps:

1, Create azure devops pipeline.

2, If you want to use the scanner on Microsoft cloud agents. You need to install these scanner tools in the cloud agent machine in your pipeline. See below example: use Git Secrets on cloud agents.

Add a script task in your pipeline to install Git Secrets on cloud agents:

steps:
- powershell: |
   #clone git-secrets repo in $(Agent.TempDirectory) folder
   cd $(Agent.TempDirectory)
   git clone "https://github.com/awslabs/git-secrets.git"
   cd git-secrets
   #install git-secrets
    ./install.ps1

   cd $(System.DefaultWorkingDirectory)
   # Installs git hooks for source repository
   git secrets --install 
   #Adds a prohibited  pattern
   git secrets --add --literal 'iamthesecrecttoscan'
   #Scans for secrets
   git secrets --scan
   
  displayName: 'PowerShell Script'

You can also create self-hosted agent on the machine where Git Secrets is installed(Or other scanner tools are installed). And then you can use the scanners directly in your pipeline without installing it in the pipeline, when you run your pipeline on this self-hosted agent.

3, Scan repos and pipelines regularly

You can use scheduled triggers in your pipeline to Scan your repos regularly.

schedules:
- cron: "0 12 * * 0"
  displayName: Weekly Sunday build
  branches:
    include:
    - releases/*
  always: true