Soteri strongly recommends treating all secrets detected by the Security Scanning tool to be compromised, even if they are scrubbed from git history. Once a secret is committed, it is far easier to rotate the secret than to track down anything (developers, services, attackers) that might have had access temporary access to this secret, unauthorized or otherwise.

Soteri recommends:

  • Changing the secret.

    • If a password is found, change it.

    • If an access token is found, many services allow for temporarily accepting both the compromised and newly generated access token, to give you time to update your services to use the new token. Once all your services have been updated, revoke the old token.

  • Delete the secret from code. Secrets in code, revoked or not, send the signal to code contributors that secrets can be committed to code.

  • Enable Security For Bitbucket’s pre-commit hook! This is the best way to ensure that secrets don’t end up in Bitbucket again. See Scanning Every Push with the Security Hook for more details.