SQ34109
Detected presence of embedded private keys.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
fail | high | medium | 3 | secrets: fail Reason: plaintext private keys found |
About the issueโ
Private keys are access credentials that use public key cryptography to authorize network protocol users. Private keys verify the identity of a client trying to access a server. These private keys are considered secrets, and as such should never be published. While it is typical for private keys to be found as standalone files, the detected ones have been found embedded within another software package component. This could indicate an attempt to hide private key presence.
How to resolve the issueโ
- Review the reported private keys and remove them from the software package if they were accidentally included.
- If the keys were published unintentionally and the software has been made public, you should revoke the keys and file a security incident.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Public-key cryptography (External resource - Wikipedia)
- Private key (External resource - NIST)