Hardcoding credentials in source code is a known bad practice, but it is still happening every day, even on public platforms like GitHub. Credential Digger is an open source scanning tool that can help developers find and remediate to their exposed credentials with a low false positive rate.
Github is now widely adopted in the software development industry as internal and external code hosting, sharing and versioning platform. Even if this platform offers advanced code control features it remains exposed to security weaknesses. In this talk we will discuss about Github security concepts and introduce an SAP Open Source tool called Credential Digger used to scan Git platforms (GitHub, GitLab, BitBucket, etc.) in order to identify hardcoded credentials (Passwords, API Keys, Secret Keys, Tokens, personal information, internal domains, etc.). Compared to other secret scanners in the market, Credential Digger is able to identify passwords with a low false positive rate. Thanks to a NLP model we trained for this purpose, we can identify when passwords are fake and when they are real. Together with Credential Digger, we also work on a real time Github Organization monitor that analyzes permanently the new commits on the projects of a team, and alerts the owner when a potential secret is shared.