Betterleaks: Next-Gen Secrets Scanning for Secure SDLC
This article introduces Betterleaks, an open-source secret-scanning tool designed to enhance software supply chain security. It focuses on architectural improvements over its predecessor, Gitleaks, by implementing a flexible validation system using CEL, token efficiency scanning, and improved portability. The tool aims to integrate seamlessly into modern AI-assisted development workflows to proactively detect exposed credentials, emphasizing shifting security left in the SDLC.
Read original on The New StackIntroduction to Secrets Management and Scanning
Secrets are critical for modern software infrastructure, enabling authentication between services, database access, and API calls. These credentials (keys, passwords, tokens) are often inadvertently exposed in codebases, configuration files, or logs, especially during rapid development or when using AI code generation tools. Tools like Betterleaks are designed to scan code and prevent these sensitive credentials from being leaked into public or unauthorized repositories, forming a crucial part of a secure software development lifecycle (SDLC).
Architectural Improvements in Betterleaks
Betterleaks, a successor to Gitleaks, introduces several architectural advancements to address the limitations of traditional secret scanners and adapt to evolving development practices, particularly the 'AI agent era'. These improvements focus on flexibility, detection accuracy, and operational ease.
- Flexible Validation with CEL: Instead of hard-coded logic, Betterleaks utilizes the Common Expression Language (CEL) for defining validation rules. This allows security teams to dynamically define what constitutes a secret, offering greater control and adaptability without altering the scanner's core code. CEL's properties (fast, portable, safe) make it ideal for embedding in applications.
- Token Efficiency Scanning: Moving beyond simple entropy checks, Betterleaks employs BPE tokenization for detecting secrets. This method differentiates ordinary text from machine credentials based on how they break down into tokens, leading to more accurate detection and fewer false positives.
- Pure Go Implementation: The tool is written entirely in Go, removing dependencies on external C libraries or specialized scanning engines (like CGO or Hyperscan). This enhances portability, making it easier to run consistently across diverse development environments and CI/CD pipelines.
- Enhanced Scanning Capabilities: Betterleaks supports default detection for doubly and triply encoded credentials and parallelized Git scanning, significantly improving scan speed and coverage.
Shifting Security Left with AI-Assisted Development
The article highlights how AI code generation increases the risk of secret leaks due to rapid iteration and reduced manual review. Betterleaks is designed to integrate with AI agent workflows, allowing immediate secret checks during code generation. This exemplifies 'shifting left' in security, where vulnerabilities are identified and mitigated as early as possible in the development pipeline, rather than post-deployment.
Roadmap for Future Enhancements
- Scanning more sources beyond Git repositories and files.
- Optional LLM-based classification using anonymized data to improve detection.
- Support for secret revocation through provider APIs.
- Mapping leaked credentials to their potential access scope.