Two of the most common suppression scenarios are detailed below:

1.

Suppress all occurrences of a given secret within the specified path The hash key of the secret from the CredScan output file is required as shown in the sample below { "tool": "Credential Scanner", "suppressions": [ { "hash": "CLgYxl2FcQE8XZgha9/UbKLTkJkUh3Vakkxh2CAdhtY=", "_justification": "Secret used by MSDN sample, it is fake." } ] } Warning: The hash key is generated by a portion of the matching value or file content. Any source code revision could change the hash key and disable the suppression rule.

2.

To suppress all secrets in a specified file (or to suppress the secrets file itself) The file expression could be a file name or any postfix portion of the full file path/name. Wildcards are not supported. Example File to be suppressed: [InputPath]\src\JS\lib\angular.js Valid Suppression Rules: [InputPath]\src\JS\lib\angular.js -- suppress the file in the specified path \src\JS\lib\angular.js \JS\lib\angular.js \lib\angular.js angular.js -- suppress any file with the same name { "tool": "Credential Scanner", "suppressions": [ { "file": "\\files\\AdditonalSearcher.xml", "_justification": "Additional CredScan searcher specific to my team" }, { "file": "\\files\\unittest.pfx", "_justification": "Legitimate UT certificate file with private key" } ] } Warning: All future secrets added to the file will also get suppressed automatically.

While detecting hard coded secrets in a timely manner and mitigating the risks is helpful, it is even better if one could prevent secrets from getting checked in altogether. In this regard, Microsoft has released CredScan Code Analyzer as part of Microsoft DevLabs extension for Visual Studio. While in early preview, it provides developers an inline experience for detecting potential secrets in their code, giving them the opportunity to fix those issues in real-time. For more information, please refer to this blog on Managing Secrets Securely in the Cloud.
Below are few additional resources to help you manage secrets and access sensitive information from within your applications in a secure manner:

• Azure Key Vault
• Azure Active Directory
• Azure AD Managed Service Identity
• Managed Service Identity (MSI) for Azure resources
• Azure Managed Service Identity
• AppAuthentication Library

CredScan relies on a set of content searchers commonly defined in the buildsearchers.xml file. The file contains an array of XML serialized objects that represent a ContentSearcher object. The program is distributed with a set of searchers that have been well tested but it does allow you to implement your own custom searchers too.

A content searcher is defined as follows:

• Name – The descriptive searcher name to be used in CredScan output file. It is recommended to use camel case naming convention for searcher names.
• RuleId – The stable opaque id of the searcher.
  • CredScan default searchers are assigned with RuleIds like CSCAN0010, CSCAN0020, CSCAN0030, etc. The last digit is reserved for potential searcher regex group merging or division.
  • RuleId for customized searchers should have its own namespace in the format of: CSCAN-{Namespace}0010, CSCAN-{Namespace}0020, CSCAN-{Namespace}0030, etc.
  • The fully qualified searcher name is the combination of the RuleId and the searcher name, e.g. CSCAN0010.KeyStoreFiles, CSCAN0020.Base64EncodedCertificate, etc.
• ResourceMatchPattern – Regex of file extensions to check against searcher
• ContentSearchPatterns – Array of strings containing Regex statements to match. If no search patterns are defined, all files matching the resource match pattern will be returned.
• ContentSearchFilters – Array of strings containing Regex statements to filter searcher specific false positives.
• Matchdetails – A descriptive message and/or mitigation instructions to be added for each match of the searcher.
• Recommendation – Provides the suggestions field content for a match using PREfast report format.
• Severity – An integer to reflect the severity of the issue (Highest = 1).