|
| 1 | +--- |
| 2 | +title: Organizing remediation efforts for leaked secrets |
| 3 | +shortTitle: Organize leak remediation |
| 4 | +intro: 'Systematically organize and manage the remediation of leaked secrets using security campaigns and alert assignments.' |
| 5 | +permissions: 'Organization owners, security managers, and users with the **admin** role' |
| 6 | +allowTitleToDifferFromFilename: true |
| 7 | +versions: |
| 8 | + feature: security-campaigns |
| 9 | +topics: |
| 10 | + - Secret scanning |
| 11 | + - Secret Protection |
| 12 | + - Organizations |
| 13 | + - Security |
| 14 | +contentType: tutorials |
| 15 | +--- |
| 16 | + |
| 17 | +## Introduction |
| 18 | + |
| 19 | +In this tutorial, you'll organize remediation efforts for leaked secrets. You'll learn how to: |
| 20 | + |
| 21 | +* Create security campaigns to track remediation work |
| 22 | +* Assign alerts based on ownership |
| 23 | +* Monitor remediation progress |
| 24 | +* Communicate with stakeholders |
| 25 | + |
| 26 | +## Prerequisites |
| 27 | + |
| 28 | +* You must have both {% data variables.product.prodname_GH_secret_protection %} and {% data variables.product.prodname_secret_scanning %} enabled for your organization. See [AUTOTITLE](/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/protect-your-secrets). |
| 29 | +* You must have existing {% data variables.product.prodname_secret_scanning %} alerts available. |
| 30 | + |
| 31 | +## Step 1: Review your {% data variables.secret-scanning.alerts %} |
| 32 | + |
| 33 | +Before taking action, you need to understand the current state of your organization's security alerts. |
| 34 | + |
| 35 | +{% data reusables.organizations.navigate-to-org %} |
| 36 | +{% data reusables.organizations.security-overview %} |
| 37 | +1. In the left sidebar, under "Alerts", click the {% octicon "chevron-down" aria-hidden="true" aria-label="chevron-down" %} symbol to the right of **{% data variables.product.prodname_secret_scanning_caps %}**. |
| 38 | +1. In the dropdown list, select `Default`. `Default` relates to supported patterns and specified custom patterns. |
| 39 | +1. Alternatively, you can select `Generic` to review unstructured secrets like passwords. However, generic patterns typically produce more false positives than default patterns, so consider reviewing these alerts after addressing higher-priority leaks. |
| 40 | +1. Review the total number of open alerts and repositories affected. |
| 41 | +1. Use filters to identify the most urgent alerts and prioritize your remediation efforts. |
| 42 | + * To show leaks in **public** repositories, use `publicly-leaked`. |
| 43 | + * To show secret leaks found in **more than one repository** within the same organization or enterprise, use `is:multi-repository`. |
| 44 | + * To show secrets that are still **valid**, use `validity:active`. |
| 45 | + * To filter by specific **service** credentials (AWS, Azure, {% data variables.product.github %}), use `provider:`. |
| 46 | + * To filter by specific **token types**, use `secret-type:`. |
| 47 | + |
| 48 | +1. Optionally, in the sidebar under "Metrics," click **{% data variables.product.prodname_secret_scanning_caps %}** to see: |
| 49 | + * Secret types that have been blocked or bypassed most frequently |
| 50 | + * Repositories with the most blocked pushes or bypasses |
| 51 | + |
| 52 | +## Step 2: Create a security campaign |
| 53 | + |
| 54 | +You can set up a security campaign to organize and track your remediation work across repositories. |
| 55 | + |
| 56 | +1. Navigate to your organization and click **{% octicon "shield" aria-hidden="true" aria-label="shield" %} Security**. |
| 57 | +1. On the left panel, select **{% octicon "goal" aria-hidden="true" aria-label="goal" %} Campaigns**. |
| 58 | +1. Click **Create campaign {% octicon "triangle-down" aria-hidden="true" %}**, then either: |
| 59 | + * Select a pre-defined Secrets campaign template. |
| 60 | + * Use custom filters to target specific alerts (for example, `is:open provider:azure` or `is:open validity:active`). |
| 61 | +1. Review the alerts (maximum 1000) and adjust filters if needed. |
| 62 | +1. Click **Save as** and choose **Publish campaign**. |
| 63 | +1. Fill out your campaign information, then click **Publish campaign**. |
| 64 | + |
| 65 | +## Step 3: Assign alerts to team members |
| 66 | + |
| 67 | +After creating your campaign, you'll want to assign individual alerts to the developers responsible for fixing them. |
| 68 | + |
| 69 | +1. On your campaign page, click {% octicon "chevron-right" aria-label="Toggle to expand or collapse the repository view" aria-hidden="true" %} to expand a repository and view its alerts. |
| 70 | +1. Click an alert to open its details page. |
| 71 | +1. In the right sidebar, click **Assignees**. |
| 72 | +1. Select a developer you want to fix the alert. Typically, this is the person who committed the secret or the repository administrator where the leak is detected. They must have write access. |
| 73 | + |
| 74 | +## Step 4: Monitor remediation progress |
| 75 | + |
| 76 | +Once alerts are assigned, you need to regularly track your campaign's progress to ensure timely completion. |
| 77 | + |
| 78 | +1. On your campaign page, review the campaign summary. You'll see: |
| 79 | + * **Campaign progress**: How many alerts are closed (fixed or dismissed) or still left to review |
| 80 | + * **Status**: How many days until the campaign's due date |
| 81 | +1. You can explore campaign details: |
| 82 | + * Expand any repository to see its progress in alert remediation. |
| 83 | + * Set **Group by** to **None** to show a list of all alerts. |
| 84 | + * Use filters to focus on specific repositories or alerts. |
| 85 | +1. Identify areas needing attention based on repositories with the most open alerts or no recent progress, then reach out to support those repository maintainers or assignees. |
| 86 | + |
| 87 | +## Step 5: Communicate with stakeholders |
| 88 | + |
| 89 | +Throughout the remediation process, you should keep stakeholders informed with regular progress updates. You can use information from your campaign dashboard to help you generate these updates. |
| 90 | + |
| 91 | +1. Navigate to the campaign dashboard. |
| 92 | +1. Identify the information you want to include in your reports. Consider these key metrics: |
| 93 | + * Alerts resolved this week |
| 94 | + * Remaining open alerts |
| 95 | + * On-track vs. at-risk items |
| 96 | + * Notable achievements or blockers |
| 97 | +1. Incorporate the metrics into your update, then distribute via email, Slack, Teams, or security meetings. |
| 98 | + |
| 99 | +## Step 6: Document remediation procedures |
| 100 | + |
| 101 | +Finally, you should create standardized procedures to make future remediation efforts more efficient. |
| 102 | + |
| 103 | +1. Develop secret-type-specific guides. For example: |
| 104 | + * **AWS credentials**: How to rotate access keys and update services |
| 105 | + * **{% data variables.product.github %} tokens**: How to revoke and regenerate {% data variables.product.pat_generic_title_case_plural %} |
| 106 | + * **API keys**: Service-specific rotation procedures |
| 107 | + * **Database credentials**: Safe rotation without service disruption |
| 108 | +1. Create a remediation checklist. |
| 109 | + 1. Verify the secret is actually leaked. |
| 110 | + 1. Determine if the secret is still active. |
| 111 | + 1. Revoke or rotate the compromised secret. |
| 112 | + 1. Update all systems using the old secret. |
| 113 | + 1. Test that systems function with new credentials. |
| 114 | + 1. Document the incident and remediation steps. |
| 115 | + 1. Mark the alert as resolved. |
| 116 | +1. Establish escalation paths. |
| 117 | + * Define when to escalate to security leadership. |
| 118 | + * Identify subject matter experts for different secret types. |
| 119 | + * Create incident response procedures for critical leaks. |
0 commit comments