Original Post: Finding and fixing exposed hardcoded secrets in your GitHub project with Snyk
This blog post discusses using Snyk and Doppler to manage and fix hardcoded secrets in projects. It specifically demonstrates the process using the open-source Snyk goof project, a Node.js application filled with vulnerabilities. Here’s a summarized workflow:
-
Setup:
- Fork the Snyk goof project.
- Create a Snyk account and link it to your GitHub account.
- Enable Snyk to scan your projects and generate Fix Pull Requests.
-
Initial Analysis:
- Add the goof project to your Snyk account.
- Snyk will create a dependency graph and compare it to its vulnerability database to generate a report.
-
Identifying Hardcoded Secrets:
- Use Snyk’s code analysis to find hardcoded credentials and secrets.
-
Refactoring Secrets to Doppler:
- Clone the goof project.
- Replace hardcoded secrets with environment variables managed by Doppler.
- Create a Doppler account and a new project for goof.
- Add secrets to Doppler and replace hardcoded values in the code with environment variables utilizing Doppler CLI for secure management.
-
Final Integration:
- Configure Doppler CLI in the project directory.
- Use
doppler runto inject secrets into the application’s environment during runtime.
- Conclusion:
- Integrating Snyk and Doppler improves security and efficiency in development workflows.
- Scheduling demos for Snyk and Doppler can further enhance understanding and utilization.
The blog emphasizes the seamless integration of Snyk and Doppler to manage and secure development projects effectively.
Go here to read the Original Post