Amazon brings automated secrets detection to CodeGuru

Amazon is rolling out a new machine learning-powered “secrets detection” feature that automatically finds confidential system credentials that might be hidden in source code.

Secrets Detector, as the new feature is called, is part of Amazon’s AI-powered code review service called CodeGuru, which the internet giant launched for developers last year. CodeGuru is all about helping developers improve the quality of their code by checking logic, syntax, and style before fresh code is committed to an existing codebase. There are two parts to the tool — CodeGuru Profiler, which focuses on fixing inefficient code which might cause an app to lag or drive up compute costs; and CodeGuru Reviewer, which uses machine learning techniques to find bugs, security vulnerabilities, and other critical issues — and then suggests remedies.

The term “secrets” refers to digital credentials — such as passwords, API tokens, certificates, and encryption keys — that companies use for managing access to their critical applications, systems, and infrastructure. Such credentials can inadvertently find their way into the public domain due to developer complacency. Uber, for example, revealed a major breach back in 2017 that exposed millions of its users’ personal data — the root cause, apparently, was an AWS access key hackers discovered in a personal GitHub repository belonging to an Uber developer.

Recent data from GitGuardian, a cybersecurity platform that helps companies find sensitive data hidden in their code, revealed a 20% increase in secrets found in public GitHub repositories.

Secret sauce

Amazon’s new Secrets Detector is included as part of CodeGuru Reviewer at no additional cost, and supports most of the APIs from providers such as Amazon’s AWS, Twilio, GitHub, Salesforce, Slack, Stripe, Tableau, Atlassian, Databricks, and more. As well as working with all Java and Python code, Secrets Detector can also be used to scan documentation and configuration files, with CodeGuru Reviewer suggesting measures for developers to secure their secrets using Amazon’s very own AWS Secrets Manager service.

Above: AWS Secrets Manager recommendation: Create a new secret

Secrets management has emerged as a crucial facet of companies’ broader security hygiene ethos, opening the door for dedicated third-party services to flourish — earlier this year, password-management giant 1Password revealed that it was expanding into secrets management when it acquired Dutch company SecretHub. A slew of younger companies have emerged on the scene too, such as Spectral which exited stealth this year with $6.2 million to find costly security mistakes buried in code; Doppler, which expanded its secrets manager to the enterprise with $6.5 million in funding; and Akeyless, which raised a $14 million series A round.

While secrets management can involve different tools and processes, the goal is ultimately the same across the board — to protect companies’ internal systems from being infiltrated by bad actors. And that means automating the process of spotting secrets in public codebases.