SQ34105
Detected presence of embedded encrypted private SSH keys.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | medium | None | secrets: warning Reason: network protocol keys found |
About the issueโ
Secure Shell Protocol (SSH) keys are access credentials that use public key cryptography to authorize SSH protocol users. Private SSH keys verify the identity of a client trying to access a server. These private keys are considered secrets, and as such should never be published. Encrypted SSH keys are considered more secure, as they require an optional password to use. While it is typical for private keys to be found as standalone files, the detected ones have been found embedded within another software package component. This could indicate an attempt to hide private SSH key presence.
How to resolve the issueโ
- Review the reported private keys and remove them from the software package if they were accidentally included.
- If the keys were published unintentionally and the software has been made public, you should revoke the keys and file a security incident.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Public-key cryptography (External resource - Wikipedia)
- Private key (External resource - NIST)