According to the Orca Research Pod, attackers routinely scan public code repositories for secrets and can discover and exploit them in as little as two minutes. This threat isn’t limited to plaintext credentials. Even secrets that are obfuscated, particularly those encoded in Base64, are frequently exposed and targeted.
While Base64 is not a form of encryption, it is often used to encode sensitive values for convenience or system compatibility. This practice can inadvertently create a false sense of security if those values are committed to code repositories without proper safeguards.
To help close this critical detection gap, Orca has enhanced its Application Security (AppSec) capabilities with advanced support for Base64-encoded secrets. By surfacing Base64-encoded secrets that traditionally evade detection, this enhancement addresses a major blind spot in code security.
Orca’s approach is both broad and deep, offering detection capabilities that span a wide spectrum of encoded secrets in source code with high accuracy.
What are Base64-encoded secrets?
Base64-encoded secrets are sensitive values such as API keys or credentials, encoded into a text-safe format to ensure compatibility with systems that cannot handle binary data or special characters.
This approach is common in cloud-native environments; for example, Kubernetes stores secret values in Base64 by default. However, Base64 provides no security since it is a reversible encoding, not encryption. If exposed, these secrets can be easily decoded, making their detection and protection critical in secure development practices.
Why is Orca offering Base64-encoded secrets detection?
Since Base64 encoding does not secure secrets, the underlying sensitive data, such as API keys, tokens, or credentials, remains fully exposed and can be easily decoded using basic tools. This makes encoded secrets an attractive target for attackers, especially in public, leaked, or misconfigured code repositories.
Despite this, very few security tools are capable of detecting encoded secrets, and even fewer support more than a small set of secret types. This creates a significant blind spot for security teams and allows secrets to bypass standard detection.
Orca has introduced Base64-encoded secrets detection to close this gap. The enhancement automatically and continuously scans for over 100 secret types, including API keys, tokens, and credentials from platforms such as GitHub, GitLab, AWS, GCP, Slack, and Stripe. This helps prevent developers from committing encoded secrets to code repositories or risky deployments from making it to production environments, exposing secrets that would have otherwise gone unnoticed.
Since releasing this capability, Orca has already surfaced thousands of encoded secrets across customer environments, many of which were missed by most, if not all, other tools. Importantly, a significant portion of these secrets were still valid at the time of discovery, highlighting the gaps in existing detection approaches and the need for deeper, more comprehensive scanning.
By making encoded secret detection both comprehensive and automatic, Orca enables security teams to implement preventative controls early in the development process, reducing the likelihood that exploitable secrets ever reach production.
About the Orca Cloud Security Platform
Orca offers a unified and comprehensive cloud security platform that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes. The Orca Cloud Security Platform leverages Orca’s patented SideScanning™ technology to provide complete coverage and comprehensive risk detection.
Learn More
Interested in discovering the benefits of the Orca Cloud Security Platform and its AppSec capabilities? Schedule a personalized 1:1 demo.
