Go beyond regex: introducing Semgrep Secrets

Tl;dr: We’re excited to launch Semgrep Secrets in private beta, the secrets detection product that uses semantic analysis, improved entropy analysis, and validation together for detecting secrets more accurately in developer workflows.

Sign up for our private beta to request early access to the product.

Raghav Jain
Raghav Jain
September 19, 2023
Semgrep secrets featured image

We’re excited to launch Semgrep Secrets, our secrets detection solution that enables security teams to detect sensitive credentials in code that other solutions miss while integrating directly within the developer workflows. Semgrep Secrets is an addition to the Semgrep suite of products - Semgrep Code (SAST) and Semgrep Supply Chain (SCA), both powered by the Semgrep Cloud Platform, which guarantees consistent findings quality.

The credentials to an organization's systems and data are prime targets for malicious actors. The repercussions of such keys falling into the wrong hands are severe—massive data leaks, unauthorized access to sensitive systems, and damage to the organization's reputation.

Secrets detection using Semantic Analysis

Unlike other secrets scanners, Semgrep Secrets can reason about how data is used within your code. Traditional scanners don’t leverage any form of data-flow analysis for detecting secrets, resulting in a lack of prioritization of results and missed coverage.

Below, Semgrep understands how MongoDB connections are made and can determine that a sensitive credential has made its way to a DB connection. This enables security teams to detect less obvious credentials in code with higher accuracy, enabling them to surface these results directly to developers. Beyond just looking for the variable definition, Semgrep identifies that u.p is passed into Line 10 to create a MongoDB connection.

Secrets announcement blog 1Example of Semantic Analysis

The above example also highlights several shortcomings of regex-only scanners. Because the word “password” or something similarly generic is not used as a variable name, regex scanners will likely skip Line 5. 

Validating if a secret is active

Semgrep Secrets goes beyond basic regex-only detection. It performs validity checks to confirm that the detected credentials are not just present but also active, allowing you to prioritize the most critical secrets. This saves you and your developers time by shifting the focus to mitigating the risks associated with live keys.

Secrets validation

Entropy analysis

Entropy analysis measures how information is encoded in a string. We've made improvements to Semgrep's entropy analysis to provide more precise results. Let’s take the following example:

this.txtCfmPassword.Name = "txtCfmPassword"

In Semgrep OSS, this is flagged as a high entropy string, but Semgrep Secrets' entropy analysis correctly removes this match. There are many additional examples where Semgrep OSS will highlight similar false positives, which makes surfacing results to developers difficult due to the low signal-to-noise ratio. With Semgrep Secrets, we can reduce false positives so you and your developers can focus on the issues that matter.

Developer workflows

Like with Semgrep Code and Semgrep Supply Chain, the developer experience is a key focus for Semgrep Secrets. Developers love Semgrep pull request (PR) comments as they can get findings in real-time as they make changes and can interact with these findings all without leaving their SCM such as GitHub and GitLab.

Secrets PR comments

Semgrep also supports running Secrets scans via IDE Extensions and pre-commit hooks to prevent secrets from even being committed.

Next steps

We are thrilled to announce the private beta of Semgrep Secrets as we expand our product suite to further provide complete build-time security to organizations worldwide. We are actively onboarding organizations to the private beta and would love to work with you.

PS: Semgrep Code and Semgrep Supply Chain are available to try for free.


Semgrep Logo

Semgrep is a fast, open-source, code scanning tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.

Code scanning at ludicrous speed

Find bugs and enforce code standards