trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 months ago verified publisher icon aquasecurity

feat(secret): add detection for Symfony default secret key

Open murataslan1 opened this issue 4 months ago • 2 comments

Summary

Add a new secret detection rule for the old default Symfony secret key ThisTokenIsNotSoSecretChangeIt.

Details

When projects were bootstrapped with older versions of Symfony (< 4.0), the configuration was generated with a default secret key. This key can be exploited for Remote Code Execution (RCE).

Changes

  • Added CategorySymfony to secret categories
  • Added symfony-secret rule to detect ThisTokenIsNotSoSecretChangeIt
  • Severity: HIGH (due to RCE risk)

Detection examples

# parameters.yml
parameters:
    secret: ThisTokenIsNotSoSecretChangeIt

# .env
APP_SECRET=ThisTokenIsNotSoSecretChangeIt

References

murataslan1 avatar Dec 06 '25 19:12 murataslan1

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Dec 06 '25 19:12 CLAassistant

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Dec 06 '25 19:12 CLAassistant