Introducing Secrets Controller!

Environment variables are not all equal. Some are used for database passwords and others are used for things like enabling dark mode - both are important but not the same in terms of sensitivity.

Today, we’re excited to launch Netlify Secrets Controller! This feature set is designed to help you proactively protect and manage environment variable values as secrets.

While all environment variables are encrypted in our database and securely transferred, Secrets Controller goes further to protect your most sensitive environment variables. With Secrets Controller, you can explicitly mark which environment variables contain secret values. After doing so, Netlify enforces a strict policy on how those values can be accessed and features that can use them. The gist is, only your code running on Netlify’s systems will have access to the raw, unmasked values - everywhere else will only have access to unreadable, masked values.

We didn’t stop there! With Secrets Controller, you automatically get secrets scanning during your Netlify build process! This is a massive win for proactively protecting your secrets!

With secrets scanning, Netlify searches the code imported from your repo AND your build output to find any secrets that might have been accidentally committed or injected directly into your build artifacts. The sophisticated scanner will look for different permutations of these values - including scanning for multi-line values! If it finds any secrets, it will fail the build and alert the developer to the location of the secrets - preventing these values from being exposed publicly or accessible to members of your Netlify team.

Exposing secrets only takes 1 line of code in so many cases. With this, it’s incredibly important to ensure you’re catching these issues and keeping your business and end-users safe.

Secrets Controller is a big win for defense-in-depth and keeping your business and users safe.

Start using it today! Visit your site/team’s environment variables page and mark the variables that contain secrets. That’s it! You can also use the CLI or API to mark which environment variables contain secrets.

4ecb580e5d204467ac687533ab642de0985×152 21.2 KB

Secrets Controller is available for our Enterprise and Open Source Plans

Just to clarify, this means that without the Enterprise plan, Netlify’s environment variables are not safe to store passwords or API keys, that’s correct?

Hey @Nathx! Thanks for reaching out for clarity here. Netlify provides pre-storage encryption of all environment variables in addition to encryption at rest for the DB itself. Sensitive keys/passwords have always been and continue to be safe to store on Netlify.

Netlify Secrets Controller adds 2 core features on top of this foundational layer for stricter access control and proactive code scanning. Stricter access control becomes necessary as you have larger teams and more compliance requirements of enterprise offerings. Smaller teams may simply manage access controls more granularly - such as team level vs site level env vars scopes which have different permissions/access.

In addition, these larger teams tend to have too many contributions to ensure all code changes get a close eye and the system at large becomes too complex for all engineers to have full context of what they might inadvertently be doing. Code scanning is to help provide proactive protection for peace of mind to these larger dev teams, allowing them to continue shipping at velocities similar to smaller teams that already have confidence due to more ability to review more closely and more engineers have deeper context. So these features were targeted at aiding larger teams and businesses with more compliance requirements to be more successful in addition the multi-layer secured storage provides to all customers.

Is it possible to include wildcards in SECRETS_SCAN_OMIT_PATHS variable such as folder/**/safe-file.json ?

Hi @burakslt,

Unfortunately, at the moment that’s not possible. However, I’ve file an issue for the devs to add this feature in the future.

Thanks for the clarification and adding a feature request.

This should now be supported! Docs have been updated as well!