In the digital age, the exposure of sensitive information poses a significant threat to security. Leveraging the ubiquitous nature of code-sharing platforms like GitHub and BitBucket, developers often accidentally disclose credentials and API keys, granting unauthorized access to critical systems. Despite the availability of tools for detecting such breaches in source code, detecting secret breaches in software issue reports remains largely unexplored. This paper presents a novel technique for secret breach detection in software issue reports using a combination of language models and state-of-the-art regular expressions. We highlight the challenges posed by noise, such as log files, URLs, commit IDs, stack traces, and dummy passwords, which complicate the detection process. By employing relevant pre-processing techniques and leveraging the capabilities of advanced language models, we aim to mitigate potential breaches effectively. Drawing insights from existing research on secret detection tools and methodologies, we propose an approach combining the strengths of state-of-the-art regexes with the contextual understanding of language models. Our method aims to reduce false positives and improve the accuracy of secret breach detection in software issue reports. We have curated a benchmark dataset of 25000 instances with only 437 true positives. Although the data is highly skewed, our model performs well with a 0.6347 F1-score, whereas state-of-the-art regular expression hardly manages to get a 0.0341 F1-Score with a poor precision score. We have also developed a secret breach mitigator tool for GitHub, which will warn the user if there is any secret in the posted issue report. By addressing this critical gap in contemporary research, our work aims at enhancing the overall security posture of software development practices.

翻译：在数字时代，敏感信息的暴露对安全构成重大威胁。借助GitHub和BitBucket等代码共享平台的普遍性，开发者常会意外泄露凭证和API密钥，导致未授权访问关键系统。尽管存在检测源代码中此类泄露的工具，但在软件问题报告中检测秘密泄露的研究仍基本处于空白。本文提出一种结合语言模型与先进正则表达式的新技术，用于检测软件问题报告中的秘密泄露。我们重点分析了日志文件、URL、提交ID、堆栈跟踪和虚拟密码等噪声带来的挑战，这些噪声使检测过程复杂化。通过采用相关预处理技术并利用先进语言模型的能力，我们旨在有效缓解潜在泄露。基于现有秘密检测工具与方法的研究成果，我们提出了一种将先进正则表达式的优势与语言模型上下文理解能力相结合的方法。该方法旨在降低误报率，提高软件问题报告中秘密泄露检测的准确性。我们构建了一个包含25000个实例的基准数据集，其中仅有437个真实正例。尽管数据高度偏斜，我们的模型仍取得了0.6347的F1分数，而先进正则表达式仅获得0.0341的F1分数且精确度较差。我们还开发了针对GitHub的秘密泄露缓解工具，可在发布的议题报告中存在秘密时向用户发出警告。通过填补当前研究中的这一关键空白，我们的工作致力于提升软件开发实践的整体安全态势。