A security analyst reviews a web application and discovers account details stored directly in the files. The developer claims there is no concern because the repository is restricted. Which measure best addresses the exposure?
Split the encoded credentials into multiple locations so they appear more hidden
Encrypt the credentials in the code with a static key
Purge commit history and use environment variables instead of storing account details in the code
Move the credentials to a separate file on the same source repository
It is important to remove the credentials from the source files and prevent their presence in historical commits. Sensitive data should be stored outside of a tracked repository, such as in environment variables. Deleting or rewriting the old commits and utilizing environment variables means the credentials are not published in source history. Methods such as static key encryption and obfuscation make the strings harder to detect, but they do not address the fundamental issue of committing sensitive data, which can be retrieved from past commits. Storing credentials in a file on the same repository does not solve the underlying exposure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are environment variables and why are they preferred for storing sensitive credentials?
Open an interactive chat with Bash
How can you purge commit history in a Git repository?
Open an interactive chat with Bash
Why is storing sensitive credentials in the same repository risky, even if it seems hidden or obfuscated?