Ruby on Rails Secret Credentials
Detects secret credentials embedded in Ruby on Rails configuration files: secret_token/secret_key_base assignments (config/initializers/secret_token.rb, config/secrets.yml), database passwords (config/database.yml), and Chef knife client keys (knife.rb). These files are frequently committed to source control and expose application secrets and infrastructure access. Mirrors Snaffler rule KeepRubyByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- medium
- Confidence justification
- Medium confidence: secret_token and secret_key_base are Rails-specific field names with highly constrained hex values, making false positives rare. The database.yml password form is intentionally generic and depends on evidence gating (adapter, production block) for precision. knife.rb client_key is specific to Chef tooling. Combined, the pattern family covers the majority of Rails-stack secrets found in source repositories.
- Jurisdictions
- global
- Regulations
- GDPR, Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security, application-secrets
- Scope
- specific
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
secret_(?:token|key_base)\s*=\s*['"][a-f0-9]{30,}Corroborative evidence keywords
production, adapter, secret_key_base, Rails.application, database.yml, secret_token, knife.rb, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential (+40 more)
Proximity: 300 characters
Should match
Rails.application.config.secret_token = 'a3f1b2c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1'— Rails 3.x secret_token initializer with 64-char hex valuesecret_key_base = 'b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3'— Rails 4+ secret_key_base YAML assignment with 64-char hex valueproduction: adapter: postgresql database: myapp_prod password: Sup3rS3cr3tProd— database.yml production block with password fieldclient_key = '/etc/chef/client.pem' client_key = 'knife_client_secret_key_value'— knife.rb client_key assignmentsecret_key_base: 'deadbeef1234567890abcdef1234567890abcdef1234567890abcdef12345678'— secrets.yml secret_key_base with spaces and colon syntaxpassword: "S3cr3tDbPass!"— database.yml password field with double-quoted value (common YAML style)
Should not match
# secret_key_base is configured in config/secrets.yml— Comment referencing secret_key_base with no assignmentproduction: adapter: postgresql database: myapp_prod # password:— database.yml production block with commented-out empty passwordYour secret_token should be kept private and never committed to source control.— Documentation prose about secret_token with no credential assignment
Known false positives
- Example Rails secret_token values in tutorials, READMEs, and documentation that use synthetic 64-char hex strings as illustrations. Mitigation: Gate at tier 75 on production/adapter evidence to require database.yml context; secret_token/key_base form is self-constraining via hex character class.
- database.yml password field in development or test environments which may use weak or placeholder passwords (password, secret, etc.). Mitigation: The pattern captures these as well — treat as a hygiene finding even for non-production blocks. Increase tier requirement for high-risk escalation to 85+ with production evidence.
- knife.rb client_key pointing to a file path rather than an inline secret. Mitigation: Path values typically contain slashes — the pattern minimum of 1 character captures paths too. Gate on Chef-context evidence.