SQ34108
Detected presence of private keys.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | medium | 2 | secrets: fail Reason: plaintext private keys found |
About the issueโ
Private keys are access credentials that use public key cryptography to authorize network protocol users. Private keys verify the identity of a client trying to access a server. These private keys are considered secrets, and as such should never be published. The only exception is when the reported keys are used for limited automated software testing.
How to resolve the issueโ
- Review the reported private keys and remove them from the software package if they were accidentally included.
- If the keys were published unintentionally and the software has been made public, you should revoke the keys and file a security incident.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Public-key cryptography (External resource - Wikipedia)
- Private key (External resource - NIST)