SQ34201
Detected presence of version control tool artifacts.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | fail | high | low | 1 | secrets: fail Reason: source control artifacts found |
About the issueβ
Source Code Management (SCM) tools provide version control tracking for application source code. They track development histories for each source code unit, and store them in a version-control-specific database format. For convenience, the source code repository and its version control database typically reside in the same folder. Because some programming languages package source code as an artifact during the build, it is possible to misconfigure the packaging step and include the version control database. Contents of this database include all historic changes for the version control tracked repository. This includes private keys, certificates, and other sensitive information that should be kept secret. Given the access to a version control database, an attacker could use its artifacts to extract sensitive information, and gain privileged access.
How to resolve the issueβ
- Remove all version control databases and their artifacts from the package before you release it.
Incidence statisticsβ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Total detections per repository
For every repository, the chart shows the number of packages that triggered the software assurance policy. In other words, it shows how many packages in each package repository were found to have the specific issue described on this page. This information helps you understand how common the issue is across different software communities.
If a repository is absent from the chart, that means none of the packages in that repository triggered this policy during analysis, or the policy was not used during analysis.
Distribution of total detections by project popularity
For every repository, the chart shows how many of the total detections belong to the Top 100 (1-100), Top 1000 (101-1000) and Top 10 000 (1001-10 000) most downloaded projects. This information helps you understand the impact of the issue within each community, making it clearer when the issue affects the most popular projects.
If the chart shows zero values for all of the top project groups, that means all detections were in unranked projects (lower than 10 000 on the list of most downloaded projects).
Recommended readingβ
- Itβs not a secret if you publish it on PyPI (ReversingLabs blog)
- Version control (External resource - Wikipedia)
- 4 ways GitOps can help secure your software pipeline (ReversingLabs blog)