June 28, 2023

Credential Digger – detecting leaked secrets on GitHub

25 minutes

Credential Digger is an SAP Open-Source code scanner for detecting hardcoded secrets. In this episode, Slim Trabelsi discusses with host Karsten Hohage what led to the creation of Credential Digger and about its key differentiators. Slim also speaks of the early challenges of scanning for secrets, and lists the many advantages of using open source for building and maintaining Credential Digger. Open source comes with visibility for customers, and contributors can work on a project even before they join the team or after they leave, leading to improved continuity and a better tool overall.

Guests:

Slim Trabelsi joined SAP 15 years ago and currently works as a senior security expert in the SAP Security Research team. His background includes data privacy, data protection, and social media security. He is currently focusing his research activities on cyber security, threat intelligence, and surveillance. Slim recently developed an open-source tool called Credential Digger, which is used to identify hardcoded secrets in source code repositories like GitHub.

Twitter: https://twitter.com/slim_security

LinkedIn: https://www.linkedin.com/in/slim-trabelsi-94534a83/

GitHub: https://github.com/SlimTrabelsi

SAP People: https://people.sap.com/slim.trabelsi

Show Notes:

Links

https://github.com/SAP/credential-digger

https://github.com/SAP/vs-code-extension-for-project-credential-digger

Credential Digger: Using Machine Learning to Identify Hardcoded Credentials in Github – blog post

SAP Security Research

https://huggingface.co/SAPOSS/password-model

NIST – Source Code Security Analyzers