Introducing Sonar Secrets

SonarQube™ plugin for identifying hardcoded secrets, such as passwords, API keys and AWS credentials.

Introduction

Skyscanner’s continuous integration and delivery (CI/CD) pipeline is built to support tens of thousands deployments per day. The frequency of production deployments cannot come at the expense of security, security processes also need to become integrated with the CI/CD pipeline. That is why we added continuous security validation at each step of the pipeline, from development to production, to help ensure our applications are always secure.

As part of the pipeline we began using SonarQube for code quality purposes, this validation happens before the developer commits his or her code as SonarQube is integrated in the developer’s IDE. We decided we could leverage SonarQube further by also checking for vulnerable coding patterns. During this process we identified great existing plugins like Findsecbugs for Java, but we also noticed the lack of static code analysis plugins for Python and Node.js. We decided to write the missing plugins in order to achieve full coverage of our standard main languages (Python, Java and Node.js). We started with Sonar Secrets to provide early feedback to developers, alerting them of security risks associated with using hardcoded credentials. Providing developers with feedback early on allowed us to shift our security controls to the left, enabling developers to meet our internally-defined Security Standards before production code goes live.

Sonar Secrets

Sonar Secrets plugin for SonarQube™ https://github.com/Skyscanner/sonar-secrets — is built by Skyscanner Product Security Squad and is designed to identify hardcoded secrets such as passwords, API tokens, AWS credentials, and others. Installation and usage instructions are on Github!

Example of Github integration:

Example of SonarLint integrated in the IDE to provide the feedback as earliest as possible:

To protect our users, partners and employees, our services are designed to use encrypted keystores to guard all relevant sensitive data. Developers can then use symbolic identifiers to refer to this data in code without having to hardcode the value.

Sonar Secrets helps us to maintain proactive in detecting and preventing sensitive data leaks in our code. We have decided to Open Source this project so that the community can benefit from this technology and help improving it. The plugin is completely customizable and extensible with new rules.

This first release supports Java and Javascript projects, Python plugin is coming next.

What’s next?

Looking forward, we have plans to release more security tools we are using at Skyscanner. Stay tuned!

SEE the world with us

Many of our employees have had the opportunity to take advantage of our Skyscanner Employee Experience (SEE) — a self-funded, self-organized programme to work up to 30 days during a 24 month period, in some of our 10 global offices. There is also the opportunity to work for 15 days per year from their home country, if an employee is based in an office outside of the country they call home.

Like the sound of this? Look at our current Skyscanner Product Engineering job roles.

We’re hiring!

About the authors

Our names are Artem Tsvetkov and Christian Martorella, we are part of the Product Security team, we are both based in Barcelona. We look at the security of our platform, Software Development Lifecycle, Security Engineering and Automation and protecting our users.