CLI Secret

ID

cli_secret

Severity

info

Vendor

-

Family

Generic secret

Description

Secrets are often embedded in CLI command options, typically in scripts or even in documentation text.

This generic secret is often caught by a more specific secret detector.

Security

Any matching entry is a potential secret reported by this detector.

False positives are common here, as it is common for script usage documentation to show command examples with secret options that are not real secrets.

Examples

aws secretsmanager create-secret --name a/b --secret S0meTh1ngV3ryS3kret

Mitigation / Fix

  1. Remove the option from the source code or committed script file. Use instead alternative options, like

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

  1. Check access logs to ensure that the secret was not used by unintended actors during the compromised period.