Detecting Hard-Coded Secrets with Chariot Detecting Hard-Coded Secrets with Chariot

Detecting Hard-Coded Secrets with Chariot

Chariot uses Nosey Parker (Praetorian's open-source secret scanner) to detect hard-coded secrets in applicable assets. Continue reading to learn more about secret-detection in Chariot.

Scanning for Secrets with Chariot

Chariot runs Nosey Parker against the following types of assets:

  • GitHub repositories
  • GitLab repositories (projects)
  • High-priority web applications

Scanning Public GitHub Repositories

Chariot uses GitHub organizations to enumerate public repositories. Add one Asset for each organization you wish Chariot to scan.  Within the Asset Discovery menu add the the organization's GitHub URL. More on scanning private GitHub repositories later.

 

Scanning Private GitHub Repositories

To scan private GitHub repositories, first follow the GitHub instructions in Source Code Managers to add a GitHub Personal Access Token (PAT).

After completing the GitHub integration, Chariot will show a GitHub Asset and scan any repository in the organization that is accessible to the PAT:

 

Scanning GitLab Repositories (Projects)

To scan private GitLab repositories, please follow the GitLab instructions in Source Code Managers to add a GitLab Personal Access Token (PAT). 

After completing the GitLab integration, Chariot will create an Asset and scan any repository in the group that is accessible to the provided GitLab PAT.:

 

Scanning Web Applications

Chariot uses a web crawler to collect publicly accessible files in web applications, which are scanned with Nosey Parker. To optimize efficiency, Chariot only runs the web crawler against prioritized assets. 

To prioritize an asset:

  1. Find and select the asset on the Assets page.
  2. Use the dropdown next to +Asset Discovery
  3. Chose Comprehensive Scan

 

To prioritize multiple assets at once, select the assets and use the dropdown by +Asset Discovery menu to select the scan priority:

 

Chariot will move the selected Assets into a Comprehensive Scan Priority queue and will run the web crawler against any exposed ports that run an HTTP(S) service:

 

Viewing Secrets Detected by Chariot

Chariot prefixes all detected secret risks with git-secret or web-secret, depending on where Chariot found the secret. Use Global Search to filter for all risks with either prefix:

 

Clicking on the Risks (X found) line item will redirect you to the Risks page with a pre-populated list of risks that match the provided search term:

 

Click on a risk from the list to view the risk's drawer page:

On the drawer page, click Proof of Exploit to view full details about the secret. Scroll down to the MATCHES section to view the secret's content, type, and code location:

What Kinds of Secrets Will Chariot Detect?

Chariot will detect any secrets in Nosey Parker's ruleset, including:

  • AWS, GCP, and Azure cloud credentials.
  • GitHub, GitLab, and other source code versioning tokens.
  • Generic secrets.
  • Many, many others. Please review Nosey Parker's ruleset to see all detectable secrets.