Identification of hard-coded secrets in GitHub through NLP-based scanners

The exposure of hard-coded credentials inside source code is listed as one of the most dangerous vulnerabilities, due to the possibility for an attacker to gain unauthorized access to internal and external services. The automatic identification of secrets inside public and private repositories still represents a challenging problem to tackle, due to the different nature of credentials and snippets and the lack of specific and reliable benchmark datasets. Previous works have focused on the use of regular expressions and entropy-based approaches for the discovery of a limited number and specific structured strings with distinct formats such as API Keys, but ignoring unstructured credentials such as passwords. We propose, with this work, an NLP-based solution to identify structured and unstructured hard-coded credentials in source code for various programming languages. Our proposed solution can identify credentials by classifying the context, extracting, and checking the authenticity of the retrieved credential. The task of classification is performed through the use of large pre-trained language models, fine-tuned on two specific tasks of classification of the context of the snippet and the credential. The extraction of the credential instead is performed through query-based matching with the corresponding snippet's \textit{Abstract Syntax Tree} The proposed solution achieves SOTA performances on a set of handcrafted datasets, gained from GitHub. To encourage the development of new solutions, we will publish two datasets containing labeled snippets of code and credentials which reflect the GitHub domain.