Proactive Secrets Management at Pendo

The last thing any good product security team wants is for their codebase to look something like this:

This nightmare scenario is why security teams use a process known as “secrets management” to find and remove secrets from production code. However, the issue with manual secrets management is that it is a reactive process instead of a proactive one.

Detection time is often inconsistent. Once a secret is discovered, it must also be rotated since it has already been pushed to the remote code base. Rather than scanning remote code in hopes of detecting a secret after it has been pushed, we should be detecting secrets before they leave a developer’s local environment, thereby preventing them from ever being pushed at all.


How We Went Proactive

Security is at its best when integrated with the normal development workflow. That’s why the security team at Pendo decided to integrate secrets scanning into our preexisting environment. Like many other companies, we use git to manage development, meaning developers make changes locally and then push those changes to a remote codebase. Part of this process includes running sanity and health checks on code before it is pushed via a tool known as pre-commit.

In git, a pre-commit hook is a script run on staged code during a commit, after code is ready to be pushed to the remote repository but before it has been. Using a secret scanning tool called gitleaks, we set up pre-commit hooks to scan staged code before it was pushed to the remote repository.

One of the biggest advantages of gitleaks is that you can provide a configuration file upon execution of a scan. This means that we can use git to track this file, allowing us to adjust configuration once on the remote codebase and apply the changes to every local scan once the developer has pulled the changes. If the scan flags a section of code, the pre-commit hook prints an error message and rejects the commit, allowing developers the chance to locally remediate and prevent secrets exposure.

The beauty of this setup is that the pre-commit workflow was already being used by developers at Pendo. Thus, integrating gitleaks meant instantaneous adoption and higher ease-of-use as compared to creating and forcing an entirely separate system onto our developers.

When we released the new integration, the process was smooth, seamless, and largely unnoticed by developers. Now, secrets scanning runs quietly in the background of every commit and makes engineering at Pendo that much more secure.