Imagine a scenario where a company creates and sells some software that requires secrets to function. Suppose the program needs to interact with an external database using valid database credentials - so what does it do?
- Run the software using a service account (OK)
- Retrieve the credentials from a secure vault using the service account identity (OK)
- Pass the credentials as a commandline argument to another running process (NOT OK)
This is just an example (which has definitely never happened before /s) and secrets occuring in process arguments could also be caused by human error. This small project was created for security professionals to audit the processes running on their machines and identify secrets management errors.
- Capture a list of running processes (pid, ppid, and cmdline)
- Search the captured list of processes for secrets (every 5 seconds)
- Determine the process tree for any detected secrets
- Repeat
List of enabled detections here.
For a basic proof of concept, run the following command:
ping 127.0.0.1 | grep 'auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30
This could otherwise be a legitimate curl command passing a JWT as the -H parameter value.
$ python cmdline_secrets.py
[06:56:54] [~] Watching processes for secrets (Ctrl+C to exit)...
[06:56:59] [+] Found a secret! (Type=JSON Web Token, Verified=False)
[06:56:59] [+] Process tree for detected secret:
PID PPID CMDLINE
1700 1699 -zsh
5230 1700 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox --exclude-dir=.venv --exclude-dir=venv auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30
You may not want to run this project as a Python file on certain hosts, in which case you could build it into a single executable using something like pyinstaller for example.
pip install -r requirements.txt
pip install pyinstaller
pyinstaller --onefile cmdline_secrets.py
- CVE-2025-48709 and The Forgotten Half of Secrets Management by Derrick Polakoff for the inspiration.
- Yelp/detect-secrets for the clean and simple secrets detection library.