Skip to content

feat(secret): add detection for Symfony default secret key #9892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
murataslan1 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(secret): add detection for Symfony default secret key #9892

murataslan1 wants to merge 1 commit into from
+9 −0

Conversation

@murataslan1
Copy link

@murataslan1 murataslan1 commented Dec 6, 2025

Summary

Add a new secret detection rule for the old default Symfony secret key ThisTokenIsNotSoSecretChangeIt.

Details

When projects were bootstrapped with older versions of Symfony (< 4.0), the configuration was generated with a default secret key. This key can be exploited for Remote Code Execution (RCE).

Changes

  • Added CategorySymfony to secret categories
  • Added symfony-secret rule to detect ThisTokenIsNotSoSecretChangeIt
  • Severity: HIGH (due to RCE risk)

Detection examples

# parameters.yml
parameters:
    secret: ThisTokenIsNotSoSecretChangeIt
# .env
APP_SECRET=ThisTokenIsNotSoSecretChangeIt

References

@murataslan1
feat(secret): add detection for Symfony default secret key
a7511f7 
Add a new secret detection rule for the old default Symfony secret key
'ThisTokenIsNotSoSecretChangeIt'. This key was used in older versions
of Symfony and can be exploited for Remote Code Execution (RCE).

Reference: https://www.ambionics.io/blog/symfony-secret-fragment

Fixes aquasecurity#3910
@CLAassistant
Copy link

CLAassistant commented Dec 6, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@CLAassistant
Copy link

CLAassistant commented Dec 6, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

@DmitriyLewen DmitriyLewen Awaiting requested review from DmitriyLewen DmitriyLewen is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Detect old default Symfony secret key ThisTokenIsNotSoSecretChangeIt

2 participants

@murataslan1 @CLAassistant