{"id":"https://openalex.org/W4388483564","doi":"https://doi.org/10.1109/esem56168.2023.10304853","title":"A Comparative Study of Software Secrets Reporting by Secret Detection Tools","display_name":"A Comparative Study of Software Secrets Reporting by Secret Detection Tools","publication_year":2023,"publication_date":"2023-10-26","ids":{"openalex":"https://openalex.org/W4388483564","doi":"https://doi.org/10.1109/esem56168.2023.10304853"},"language":"en","primary_location":{"id":"doi:10.1109/esem56168.2023.10304853","is_oa":false,"landing_page_url":"https://doi.org/10.1109/esem56168.2023.10304853","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5084433528","display_name":"Setu Kumar Basak","orcid":"https://orcid.org/0000-0001-7857-3333"},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Setu Kumar Basak","raw_affiliation_strings":["North Carolina State University,USA","North Carolina State University, USA"],"affiliations":[{"raw_affiliation_string":"North Carolina State University,USA","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, USA","institution_ids":["https://openalex.org/I137902535"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5113042199","display_name":"J. L. Cox","orcid":null},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Jamison Cox","raw_affiliation_strings":["North Carolina State University,USA","North Carolina State University, USA"],"affiliations":[{"raw_affiliation_string":"North Carolina State University,USA","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, USA","institution_ids":["https://openalex.org/I137902535"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5021122418","display_name":"Bradley Reaves","orcid":"https://orcid.org/0000-0001-7902-1821"},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Bradley Reaves","raw_affiliation_strings":["North Carolina State University,USA","North Carolina State University, USA"],"affiliations":[{"raw_affiliation_string":"North Carolina State University,USA","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, USA","institution_ids":["https://openalex.org/I137902535"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5028171895","display_name":"Laurie Williams","orcid":"https://orcid.org/0000-0003-3300-6540"},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Laurie Williams","raw_affiliation_strings":["North Carolina State University,USA","North Carolina State University, USA"],"affiliations":[{"raw_affiliation_string":"North Carolina State University,USA","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, USA","institution_ids":["https://openalex.org/I137902535"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5084433528"],"corresponding_institution_ids":["https://openalex.org/I137902535"],"apc_list":null,"apc_paid":null,"fwci":2.8158,"has_fulltext":false,"cited_by_count":11,"citation_normalized_percentile":{"value":0.90969226,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":97,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"12"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11719","display_name":"Data Quality and Management","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1803","display_name":"Management Science and Operations Research"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11719","display_name":"Data Quality and Management","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1803","display_name":"Management Science and Operations Research"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9977999925613403,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9925000071525574,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8314633369445801},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.8288582563400269},{"id":"https://openalex.org/keywords/false-positives-and-false-negatives","display_name":"False positives and false negatives","score":0.4959181249141693},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4864787757396698},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4539768695831299},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.4272434115409851},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.15754565596580505},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.08308273553848267}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8314633369445801},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.8288582563400269},{"id":"https://openalex.org/C112789634","wikidata":"https://www.wikidata.org/wiki/Q18207010","display_name":"False positives and false negatives","level":3,"score":0.4959181249141693},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4864787757396698},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4539768695831299},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.4272434115409851},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.15754565596580505},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.08308273553848267},{"id":"https://openalex.org/C205649164","wikidata":"https://www.wikidata.org/wiki/Q1071","display_name":"Geography","level":0,"score":0.0},{"id":"https://openalex.org/C13280743","wikidata":"https://www.wikidata.org/wiki/Q131089","display_name":"Geodesy","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/esem56168.2023.10304853","is_oa":false,"landing_page_url":"https://doi.org/10.1109/esem56168.2023.10304853","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G6256934058","display_name":null,"funder_award_id":"2055554","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":21,"referenced_works":["https://openalex.org/W41404523","https://openalex.org/W1555168845","https://openalex.org/W1995875735","https://openalex.org/W2034190452","https://openalex.org/W2086585198","https://openalex.org/W2158297335","https://openalex.org/W2735864825","https://openalex.org/W2890432166","https://openalex.org/W2947593054","https://openalex.org/W2955656327","https://openalex.org/W2993331254","https://openalex.org/W3010949534","https://openalex.org/W3105133011","https://openalex.org/W3131633772","https://openalex.org/W3151142258","https://openalex.org/W4220690511","https://openalex.org/W4284664377","https://openalex.org/W4312875384","https://openalex.org/W4328028702","https://openalex.org/W4384009645","https://openalex.org/W4384345631"],"related_works":["https://openalex.org/W1557094818","https://openalex.org/W2183246718","https://openalex.org/W1973412793","https://openalex.org/W2099261052","https://openalex.org/W4292605373","https://openalex.org/W2951146195","https://openalex.org/W4226316650","https://openalex.org/W3123215897","https://openalex.org/W2153600354","https://openalex.org/W4243739114"],"abstract_inverted_index":{"Background:":[0],"According":[1],"to":[2,18,51,56,83,92,166,181,206,231],"GitGuardian's":[3],"monitoring":[4],"of":[5,61,79,96,102,112,157],"public":[6],"GitHub":[7,132],"repositories,":[8],"secrets":[9,24,97,159],"sprawl":[10],"continued":[11],"accelerating":[12],"in":[13,86,203],"2022":[14],"by":[15,226],"67%":[16],"compared":[17,73],"2021,":[19],"exposing":[20],"over":[21],"10":[22],"million":[23],"(API":[25],"keys":[26],"and":[27,33,54,74,115,138,142,151,171,189,220],"other":[28],"credentials).":[29],"Though":[30],"many":[31,43],"open-source":[32,114],"proprietary":[34,117],"secret":[35,67,89,104,200,223],"detection":[36,68,90,105,217],"tools":[37,41,69,118,127,197],"are":[38,70,164,179],"available,":[39],"these":[40],"output":[42],"false":[44,162,177],"positives,":[45],"making":[46],"it":[47],"difficult":[48],"for":[49],"developers":[50,85,195],"take":[52],"action":[53],"teams":[55],"choose":[57,196],"one":[58],"tool":[59,91,214],"out":[60],"many.":[62],"To":[63],"our":[64,80],"knowledge,":[65],"the":[66,94],"not":[71],"yet":[72],"evaluated.":[75],"Aims:":[76],"The":[77,124],"goal":[78],"study":[81],"is":[82],"aid":[84],"choosing":[87],"a":[88,120],"reduce":[93],"exposure":[95],"through":[98],"an":[99,110],"empirical":[100],"investigation":[101],"existing":[103],"tools.":[106],"Method:":[107],"We":[108,193],"present":[109,202],"evaluation":[111],"five":[113],"four":[116],"against":[119],"benchmark":[121],"dataset.":[122],"Results:":[123],"top":[125],"three":[126],"based":[128,143,198],"on":[129,144,199],"precision":[130],"are:":[131,146],"Secret":[133],"Scanner":[134],"(75%),":[135],"Gitleaks":[136,147],"(46%),":[137],"Commercial":[139],"X":[140],"(25%),":[141],"recall":[145],"(88%),":[148],"SpectralOps":[149],"(67%)":[150],"TruffleHog":[152],"(52%).":[153],"Our":[154],"manual":[155],"analysis":[156],"reported":[158],"reveals":[160],"that":[161],"positives":[163],"due":[165,180],"employing":[167],"generic":[168],"regular":[169,183],"expressions":[170],"ineffective":[172],"entropy":[173],"calculation.":[174],"In":[175,210],"contrast,":[176],"negatives":[178],"faulty":[182],"expressions,":[184],"skipping":[185],"specific":[186],"file":[187],"types,":[188],"insufficient":[190],"rulesets.":[191],"Conclusions:":[192],"recommend":[194,213],"types":[201],"their":[204],"projects":[205],"prevent":[207],"missing":[208],"secrets.":[209],"addition,":[211],"we":[212],"vendors":[215,230],"update":[216],"rules":[218],"periodically":[219],"correctly":[221],"employ":[222],"verification":[224],"mechanisms":[225],"collaborating":[227],"with":[228],"API":[229],"improve":[232],"accuracy.":[233]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":10}],"updated_date":"2026-03-17T09:09:15.849793","created_date":"2025-10-10T00:00:00"}