Sttor Documentation

Appearance

Suppressions & Rotation

Not every detection is actionable as “rotate now” (example: test fixtures, synthetic keys, false positives). DevSecOps Bot supports controlled handling.

Suppressions (Exceptions)

Use Suppressions When:

  • The match is a verified false positive
  • The string is a non-sensitive placeholder
  • The value is intentionally public (rare; document why)

Best Practices:

  • Prefer scoped suppressions (file-level, rule-level, or line-level if supported)
  • Add a reason and owner
  • Avoid suppressing entire repositories unless absolutely necessary

Rotation Guidance

If the secret is real

  • Rotate immediately in your provider system
  • Check logs for misuse (if available)
  • Review access scope and reduce permissions
  • Move secrets to a secret manager (AWS Secrets Manager, Vault, etc.)
  • Re-issue keys with least privilege

Recommendation When a Secret Is Detected

  1. Stop the leak (immediate)
  • Do not share the secret further (don’t paste into chat, tickets, or PR comments).
  • Revoke/rotate the credential now in the provider console.
  • If rotation is not possible instantly, disable the key or remove permissions temporarily.
  1. Remove from Git history (not just the latest commit)

Even if you delete the secret in a new commit, it can remain in history.

  • Remove the secret from the codebase and any config files.
  • If it was committed, rewrite Git history to purge it (use a safe tool like git filter-repo or BFG).
  • Force-push only if your org policy allows it; otherwise follow your internal security process.
  1. Replace with a secure pattern

Preferred patterns:

  • Use a secret manager (Vault / cloud secret manager).
  • Inject secrets at runtime via:
    • CI/CD secret store (GitHub Actions Secrets, OIDC-based creds)
    • Kubernetes Secrets (sealed/external secrets preferred)
    • Environment variables from secret manager
  • Avoid:
    • .env committed files
    • hardcoded tokens
    • secrets stored in plain config maps
  1. Validate blast radius
  • Check access logs / audit logs for suspicious use.
  • Verify the secret’s scope:
    • Reduce privileges (least privilege)
    • Restrict by IP / environment if possible
    • Set expiration and rotate regularly
  1. Add prevention so it doesn’t happen again
  • Ensure DevSecOps Bot scans run on:
    • every PR
    • every push / branch scan
  • Add guardrails:
    • pre-commit secret scanning (optional)
    • block merges on high-severity secret rules
    • training snippet: “never commit real creds”
  1. Close the issue correctly in DevSecOps Bot

When remediation is complete:

  • Mark the issue as resolved (or equivalent workflow state)
  • Add a short note: where it was rotated and what replacement approach was used
  • If suppression is used:
    • document reason + scope + expiry (if supported)
    • confirm it is not a real credential

Copyright © 2026 Sttor