Introducing Secrets Controller!

SeanRoberts · July 10, 2023, 3:37pm

Environment variables are not all equal. Some are used for database passwords and others are used for things like enabling dark mode - both are important but not the same in terms of sensitivity.

Today, we’re excited to launch Netlify Secrets Controller! This feature set is designed to help you proactively protect and manage environment variable values as secrets.

While all environment variables are encrypted in our database and securely transferred, Secrets Controller goes further to protect your most sensitive environment variables. With Secrets Controller, you can explicitly mark which environment variables contain secret values. After doing so, Netlify enforces a strict policy on how those values can be accessed and features that can use them. The gist is, only your code running on Netlify’s systems will have access to the raw, unmasked values - everywhere else will only have access to unreadable, masked values.

We didn’t stop there! With Secrets Controller, you automatically get secrets scanning during your Netlify build process! This is a massive win for proactively protecting your secrets!

With secrets scanning, Netlify searches the code imported from your repo AND your build output to find any secrets that might have been accidentally committed or injected directly into your build artifacts. The sophisticated scanner will look for different permutations of these values - including scanning for multi-line values! If it finds any secrets, it will fail the build and alert the developer to the location of the secrets - preventing these values from being exposed publicly or accessible to members of your Netlify team.

Exposing secrets only takes 1 line of code in so many cases. With this, it’s incredibly important to ensure you’re catching these issues and keeping your business and end-users safe.

Secrets Controller is a big win for defense-in-depth and keeping your business and users safe.

Start using it today! Visit your site/team’s environment variables page and mark the variables that contain secrets. That’s it! You can also use the CLI or API to mark which environment variables contain secrets.

Secrets Controller is available for our Enterprise and Open Source Plans

Nathx · August 18, 2023, 9:38am

Just to clarify, this means that without the Enterprise plan, Netlify’s environment variables are not safe to store passwords or API keys, that’s correct?

SeanRoberts · August 18, 2023, 2:04pm

Hey @Nathx! Thanks for reaching out for clarity here. Netlify provides pre-storage encryption of all environment variables in addition to encryption at rest for the DB itself. Sensitive keys/passwords have always been and continue to be safe to store on Netlify.

Netlify Secrets Controller adds 2 core features on top of this foundational layer for stricter access control and proactive code scanning. Stricter access control becomes necessary as you have larger teams and more compliance requirements of enterprise offerings. Smaller teams may simply manage access controls more granularly - such as team level vs site level env vars scopes which have different permissions/access.

In addition, these larger teams tend to have too many contributions to ensure all code changes get a close eye and the system at large becomes too complex for all engineers to have full context of what they might inadvertently be doing. Code scanning is to help provide proactive protection for peace of mind to these larger dev teams, allowing them to continue shipping at velocities similar to smaller teams that already have confidence due to more ability to review more closely and more engineers have deeper context. So these features were targeted at aiding larger teams and businesses with more compliance requirements to be more successful in addition the multi-layer secured storage provides to all customers.

burakslt · April 17, 2024, 8:33am

Is it possible to include wildcards in SECRETS_SCAN_OMIT_PATHS variable such as folder/**/safe-file.json ?

hrishikesh · April 17, 2024, 1:29pm

Hi @burakslt,

Unfortunately, at the moment that’s not possible. However, I’ve file an issue for the devs to add this feature in the future.

burakslt · April 17, 2024, 1:48pm

Thanks for the clarification and adding a feature request.

hrishikesh · April 17, 2024, 5:55pm

This should now be supported! Docs have been updated as well!

Topic		Replies	Views
Netlify Env Secrets Support environment-vars	1	331	July 16, 2023
Security of netlify.toml contents Features security	14	2191	December 22, 2020
Environment variables in Netlify UI Support environment-vars , nextjs	1	436	December 29, 2022
Why is my env key showing on the source page on Netlify Support environment-vars	6	541	September 25, 2023
Saving Environment Variable from Netlify Function Opentalk lambda-functions , environment-vars	7	915	March 8, 2021

Introducing Secrets Controller!

Related topics