BluBracket Community Edition Debuts
February 10, 2021
In wake of the SolarWinds breach, BluBracket shifts security left by
introducing first tool to rank security risks and identify secrets early
in the software development cycle
Community Edition is a free, robust and automated tool for finding
passwords, tokens and other security vulnerabilities in code. The
Community Edition uses a novel, ML-based method for assessing code risk
by assigning secrets and repo risks scores, so companies can quickly
understand and act on security issues found in code.
“The recent SolarWinds hack was the largest breach in history, and many
reports say it began with a password left in code,” said Prakash Linga,
CEO, BluBracket. “Source code is quickly becoming the largest surface
area of attack being exploited by hackers. BluBracket is exclusively
focused on addressing the risks in your source code, and now is the
right time to make our Community Edition freely accessible so developers
and engineers have a robust and professional way to keep credentials out
New Pre-Commit Tool Shifts Security Left, Helping Developers Prevent
Breaks in Their Builds and Keep Code Safe.
The BluBracket Community Edition “shifts security left” earlier in the
development process by giving developers a free, easily integrated tool
to help them keep credentials and secrets out of code. This is so
crucial in Git because once a credential is part of a Pull Request (PR),
even if that PR is rejected, it will stay in the repository and can be
easily found by hackers. The pre-commit hook of the BluBracket Command
Line Interface (CLI) tool scans developer commits to determine if any
new risks were introduced and if so will block the staged files from
being committed. The CLI component of the Community Edition works with
developers’ CI/CD pipeline and any IDE that supports pre-commit hooks
such as VSCode, Jetbrains IntelliJ, and PyCharm.
The BluBracket Community Edition provides developers a Secrets Risk
Score which efficiently informs them of the risk of that secret in their
code. For instance an active AWS token would receive the highest score,
rated for its potential impact on the business, whereas a password in a
test environment would be rated very low. The BluBracket tool is the
first of its kind to offer this type of ranking, which is integrated
into the developer and security ecosystem workflow.
New Repo Risk Score Helps Security Engineers Prioritize Efficiently.
BluBracket has made it extremely simple for anyone to use the Community
Edition. Users simply connect to the BluBracket Community Edition
through GitHub, where the tool will begin scanning up to 10 repositories
and sharing reports in real time for more than 50 secret types in any
language. This scan will give them an instant Repo Risk Score which
estimates the impact of the type of credentials found in the code so
they can prioritize remediation and drill down into the contributions
responsible for the leakage.
BluBracket’s built-in rules engine also automatically reduces the number
of false positives that are present in so many other secrets-scanning
tools. For example, in a recent product comparison conducted by an early
access customer, BluBracket identified more than 125,000 of the 126,500
“secrets” detected by a popular open source tool were false positives.
The reduction in false positives saves companies time and money, as it’s
labor intensive to maintain these open source tools and comb through the
false positives. It also protects companies from leakage by showing them
relative risk in an actionable format.
“BluBracket solves a critical need in mapping our distributed code base
to give us the visibility and control we need to be prepared,” said
Andrew Schmitt, application security lead at iHerb. “We had challenges
that just weren’t being addressed by other scanning tools we tried.
BluBracket was the first tool to automate secrets detection in our
Bitbucket environment and pinpoint risk quickly and efficiently.
BluBracket will also help us keep secrets out of our builds by enabling
our developers to shift security left via the BluBracket CLI tool.”
“Software supply chain security is perhaps the most pressing issue
facing the software industry today. BluBracket is an early mover and
innovator in addressing this unprecedented challenge that faces not just
the tech industry, but every industry,” said Jim Zemlin, executive
director at the Linux Foundation. “We’re using BluBracket’s tools to
identify secrets in Linux Foundation repo’s, which is allowing us to
find risks early and improve the security of our code bases.”
features of the Community Edition beyond the CLI and risk scoring
Enhanced security monitoring and alerting that continuously scans
Comprehensive APIs to integrate into existing CI pipeline, SIEM,
messaging, and ticketing solutions;
A robust rules engine to reduce false positives which are so common in
other scanning point tools;
Unique hashes for secrets that eliminates duplicates; and
Monitoring of 50+ most common secret types automatically in public or
private GitHub repositories.