BluBracket announced its Community Edition, a free, robust and automated tool for finding passwords, tokens and other security vulnerabilities in code. It uses a novel, ML-based method for assessing code risk by assigning secrets and repo risks scores, so companies can quickly understand and act on security issues found in code.
“The recent SolarWinds hack was the largest breach in history, and many reports say it began with a password left in code,” said Prakash Linga, CEO, BluBracket. “Source code is quickly becoming the largest surface area of attack being exploited by hackers. BluBracket is exclusively focused on addressing the risks in your source code, and now is the right time to make our Community Edition freely accessible so developers and engineers have a robust and professional way to keep credentials out of code.”
Pre-commit tool shifts security left
The BluBracket Community Edition “shifts security left” earlier in the development process by giving developers a free, easily integrated tool to help them keep credentials and secrets out of code. For setup instructions see this video.
This is so crucial in Git because once a credential is part of a Pull Request (PR), even if that PR is rejected, it will stay in the repository and can be easily found by hackers. The pre-commit hook of the BluBracket Command Line Interface (CLI) tool scans developer commits to determine if any new risks were introduced and if so will block the staged files from being committed.
The CLI component of the Community Edition works with developers’ CI/CD pipeline and any IDE that supports pre-commit hooks such as VSCode, Jetbrains IntelliJ, and PyCharm.
The BluBracket Community Edition provides developers a Secrets Risk Score which efficiently informs them of the risk of that secret in their code. For instance an active AWS token would receive the highest score, rated for its potential impact on the business, whereas a password in a test environment would be rated very low.
The BluBracket tool is the first of its kind to offer this type of ranking, which is integrated into the developer and security ecosystem workflow.
New repo risk score
BluBracket has made it simple for anyone to use the Community Edition. Users simply connect to the BluBracket Community Edition through GitHub, where the tool will begin scanning up to 10 repositories and sharing reports in real time for more than 50 secret types in any language. This scan will give them an instant Repo Risk Score which estimates the impact of the type of credentials found in the code so they can prioritize remediation and drill down into the contributions responsible for the leakage.
The built-in rules engine also automatically reduces the number of false positives that are present in so many other secrets-scanning tools. For example, in a recent product comparison conducted by an early access customer, BluBracket identified more than 125,000 of the 126,500 “secrets” detected by a popular open source tool were false positives.
The reduction in false positives saves companies time and money, as it’s labor intensive to maintain these open source tools and comb through the false positives. It also protects companies from leakage by showing them relative risk in an actionable format.
Additional BluBracket Community Edition features
Further features of the beyond the CLI and risk scoring include:
- Enhanced security monitoring and alerting that continuously scans repos
- Comprehensive APIs to integrate into existing CI pipeline, SIEM, messaging, and ticketing solutions
- A robust rules engine to reduce false positives which are so common in other scanning point tools
- Unique hashes for secrets that eliminates duplicates
- Monitoring of 50+ most common secret types automatically in public or private GitHub repositories.