SQ34201
Detected presence of version control tool artifacts.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | low | 1 | secrets: fail Reason: source control artifacts found |
About the issueβ
Source Code Management (SCM) tools provide version control tracking for application source code. They track development histories for each source code unit, and store them in a version-control-specific database format. For convenience, the source code repository and its version control database typically reside in the same folder. Because some programming languages package source code as an artifact during the build, it is possible to misconfigure the packaging step and include the version control database. Contents of this database include all historic changes for the version control tracked repository. This includes private keys, certificates, and other sensitive information that should be kept secret. Given the access to a version control database, an attacker could use its artifacts to extract sensitive information, and gain privileged access.
How to resolve the issueβ
- Remove all version control databases and their artifacts from the package before you release it.
Incidence statisticsβ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingβ
- Itβs not a secret if you publish it on PyPI (ReversingLabs blog)
- Version control (External resource - Wikipedia)
- 4 ways GitOps can help secure your software pipeline (ReversingLabs blog)