SQ34107
Detected presence of private certificates.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 1 | secrets: fail Reason: private certificates found |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. These private certificates are considered secrets, and as such should never be published. The only exception is when the reported certificates are used for limited automated software testing.
How to resolve the issueโ
- Review the reported private certificates and remove them from the software package if they were accidentally included.
- If the certificates were published unintentionally and the software has been made public, you should revoke the certificates and file a security incident.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Digital signature (External resource - NIST)
- Digital Certificates โ Models for Trust and Targets for Misuse (ReversingLabs blog series)