All secrets detected by a security scan should be considered compromised. Once a secret is committed, it is indexed by Bitbucket, and anyone with read access to the repository, project, or the whole Bitbucket instance could have obtained a copy. Scrubbing the secret from git history doesn’t sufficiently remediate risk.
Soteri recommends to:
-
Change the secret.
-
If a password is found, change it.
-
If an access token is found, generate a new access token and update your services to use the new token. Once all your services have been updated, revoke the old token.
-
-
Delete the secret from code. Secrets in code, revoked or not, send the signal to code contributors that secrets can be committed to code.
-
Enable Security For Bitbucket’s pre-commit hook. This is the best way to ensure that secrets don’t end up in Bitbucket again.