SQ34106
Detected presence of private PGP keys.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 1 | secrets: fail Reason: private certificates found |
About the issueโ
Pretty Good Privacy (PGP) provides cryptographic privacy and enables communication authentication. PGP is used for signing, encryption, and to improve the e-mail communication security. It supports message authentication and integrity checking. These private keys are considered secrets, and as such should never be published. The only exception is when the reported keys are used for limited automated software testing.
How to resolve the issueโ
- Review the reported private keys and remove them from the software package if they were accidentally included.
- If the keys were published unintentionally and the software has been made public, you should revoke the keys and file a security incident.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Pretty Good Privacy (External resource - Wikipedia)
- The GNU Privacy Guard (External resource)
- Public key certificate (External resource - Wikipedia)