In the Detector of the month series, we feature our favorite projects or services GitGuardian’s secrets detection engine supports. This month, the Redis credentials detector was selected!
What does Redis do?
Redis users and customers, you can skip this section and jump to the next one for a step-by-step guide on how to remediate hardcoded Redis database credentials.
Redis is an in-memory key-value data store. It was born as an open-source project in 2009, based on the idea that a cache can also be a durable data store and can be used to serve application data to end-users faster than a relational database would.
At the time, it was adopted by high-growing companies such as Twitter. For example, the Twitter Timeline service, where all tweets are chained and displayed to a user, has been powered by Redis since 2010.
Redis’ speed and low latency are ideal for the use case of caching the results of database queries, complex computations, API calls but it has grown significantly since its release to solve other problems. Redis datastores are also used for real-time, streaming, and messaging use cases.
Keep Redis credentials out of your code with GitGuardian!
Secrets sprawl is still a hot issue for developers and security engineers. Last year, our monitoring of public GitHub revealed a two-fold increase in the number of leaked credentials, with more than 6 million exposed throughout 2021! In other words, 3 commits out of 1,000 exposed at least one secret.
At GitGuardian, we’re committed to helping developers reduce the risk of exposing their secrets, and here’s how we’re doing it:
- We notify developers whenever they misstep and leave plain text credentials in git repositories, thanks to our library of 350+ built-in specific and generic detectors.
- We share with developers the best practices around code security and secrets management and how to implement them at both the individual and team levels.
The risks of secrets-in-code can never be overstated, especially when it comes to compromised credentials or tokens with access to databases in production environments. Organizations stand to lose a lot from exposing this critical component of their infrastructure and can become easy targets for ransomware or even make it to the headlines following customer and business data leaks.
How to handle hardcoded Redis credentials?
Here’s what to do when you receive an alert from GitGuardian mentioning leaked Redis database credentials:
- Understand the implications of the incident. A bad situation can be made worse if a secret is revoked without understanding how that secret is currently being used.
- Rotate and revoke the secret! The Redis password is stored in the
redis.conffile, make sure it is changed and can no longer be used to connect to the instance or delete the user whose credentials have been exposed using Redis' ACL command
ACL DELUSER username [username ...].
- Improve your secrets management. Use a dotenv file to hide sensitive environment variables or look for alternative secrets management solutions to avoid hardcoding database credentials in the future.
- Optional – Remove all evidence from your git history. Rewrite the git history or delete the entire repository. Such an operation is not trivial and needs to be discussed with your team members.
- Review access logs. Check for suspicious activity in the log data of your services impacted by the leaked credentials.
Learn more about Redis’ security model in the official documentation here. Redis is designed to be accessed by trusted clients inside trusted environments and provides very thin authentication and authorization layers. Also, take a look at GitGuardian's Redis credentials detector documentation here.
What about other secrets?
GitGuardian helps developers keep 350+ types of secrets out of source code. GitGuardian’s automated secrets detection and remediation solution secure every step of the development lifecycle, from code to cloud:
- On developer workstations with git hooks (pre-commit and pre-push);
- On code sharing platforms like GitHub, GitLab, and Bitbucket;
- In CI environments (Circle CI, Travis CI, Jenkins CI, GitHub Actions, and many more);
- In Docker images.