Table: code_secret - Query Code Secrets using SQL
A Code Secret is a resource that allows you to manage and store secrets such as database credentials, API keys, and other sensitive information. It provides a centralized way to manage secrets for various resources, including databases, applications, and more. Code Secrets help you keep your sensitive information secure and take appropriate actions when predefined conditions are met.
Table Usage Guide
The code_secret
table provides insights into Code Secrets. As a DevOps engineer, explore secret-specific details through this table, including secret names, descriptions, and associated metadata. Utilize it to uncover information about secrets, such as their creation and update timestamps, and the content of the secrets.
Important Notes
- You must specify the
src
in thewhere
clause to query this table.
Examples
Basic auth is detected
Identify instances where sensitive information like passwords are exposed in your code. This can help in enhancing the security by preventing potential data breaches.
select secret_type, secret, line, colfrom code_secretwhere src = 'Text with a secret postgresql://user:secret@localhost:5432/mydb.';
select secret_type, secret, line, colfrom code_secretwhere src = 'Text with a secret postgresql://user:secret@localhost:5432/mydb.';
Multiple secrets are matched, including AWS access keys
Discover the segments that include multiple matched secrets, such as AWS access keys, to enhance security measures and prevent potential data breaches. This query is useful in identifying and managing sensitive information within your codebase.
select secret_type, secret, line, colfrom code_secretwhere src = E 'AWS access keys should be detected:\n' '* AKIA4YFAKEKEYXTDS252\n* AKIA9YFBKFGZYZTW387K';
select secret_type, secret, line, colfrom code_secretwhere src = 'AWS access keys should be detected:\n' '* AKIA4YFAKEKEYXTDS252\n* AKIA9YFBKFGZYZTW387K';
Secrets of multiple types
Determine the types of secrets embedded in your code to enhance security measures. This query helps in identifying potential vulnerabilities by highlighting different types of secrets such as AWS keys, Github tokens, etc., that might be accidentally exposed in the code.
select secret_type, secret, authenticated, line, colfrom code_secretwhere src = E 'Mixed secrets are matched:\n' '* Slack: xoxp-5228148520-5228148525-1323104836872-10674849628c43b9d4b4660f7f9a7b65\n' '* AWS: AKIA4YFAKFKFYXTDS353\n' '* Replace and try <AWS_ACCESS_KEY>:<AWS_SECRET_KEY> \n' '* Basic auth: https://joe:passwd123@example.com/secret' '* Github Personal Access Token: 45ab6f911111f9f376a5b52c25d22113f2b45fa1' '* Okta Token: 00Am7B2M_U-63q_Ppd6tDzAbBOkvcCht-kDG-baM7t' '* Stripe Api Key: sk_live_tR3PYbcVNZZ796tH88S4VQ2u' '* Azure Storage Account Key: mllhBNrG467B7Q5iT+ePFr6eLCE24ij9vT/fCeckOunfqzoGm8k5X9vKCphDaO81gmuzr89ldN+gKB0vlEHahg==';
select secret_type, secret, authenticated, line, colfrom code_secretwhere src = 'Mixed secrets are matched:\n' '* Slack: xoxp-5228148520-5228148525-1323104836872-10674849628c43b9d4b4660f7f9a7b65\n' '* AWS: AKIA4YFAKFKFYXTDS353\n' '* Replace and try <AWS_ACCESS_KEY>:<AWS_SECRET_KEY> \n' '* Basic auth: https://joe:passwd123@example.com/secret' '* Github Personal Access Token: 45ab6f911111f9f376a5b52c25d22113f2b45fa1' '* Okta Token: 00Am7B2M_U-63q_Ppd6tDzAbBOkvcCht-kDG-baM7t' '* Stripe Api Key: sk_live_tR3PYbcVNZZ796tH88S4VQ2u' '* Azure Storage Account Key: mllhBNrG467B7Q5iT+ePFr6eLCE24ij9vT/fCeckOunfqzoGm8k5X9vKCphDaO81gmuzr89ldN+gKB0vlEHahg==';
Detect secrets in AWS EC2 instance user data (requires AWS plugin)
Determine the areas in which sensitive information might be inadvertently exposed in AWS EC2 instance user data. This is crucial for maintaining security standards and preventing unauthorized access.
select instance_id, region as instance_region, secret_type, secret, authenticated, line, colfrom code_secret, aws_ec2_instancewhere src = user_data;
select instance_id, region as instance_region, secret_type, secret, authenticated, line, colfrom code_secret, aws_ec2_instancewhere src = user_data;
Detect secrets in AWS CloudFormation stack template body (requires AWS plugin)
Analyze the settings to understand potential security risks in your AWS CloudFormation stack templates. This query is useful for identifying hidden secrets within your stack templates, helping you maintain secure and authenticated configurations.
select id as stack_id, name as stack_name, region as stack_region, secret_type, secret, authenticated, line, colfrom code_secret, aws_cloudformation_stackwhere src = template_body;
select aws_cloudformation_stack.id as stack_id, aws_cloudformation_stack.name as stack_name, aws_cloudformation_stack.region as stack_region, code_secret.secret_type, code_secret.secret, code_secret.authenticated, code_secret.line, code_secret.colfrom code_secret, aws_cloudformation_stackwhere code_secret.src = aws_cloudformation_stack.template_body;
Schema for code_secret
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
authenticated | text | Authentication status of the secret. Valid values are "authenticated", "unauthenticated", "not_implemented", and "unknown". | |
col | bigint | Column on the line of the first character of the secret string. | |
end_offset | bigint | Offset of the last character of the secret string. | |
line | bigint | Line number of the first character of the secret string. | |
secret | text | Secret string. | |
secret_type | text | Secret type. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
src | text | = | The source code to scan. |
start_offset | bigint | Offset of the first character of the secret string. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- code
You can pass the configuration to the command with the --config
argument:
steampipe_export_code --config '<your_config>' code_secret