Skip to main content

Secret Detection

API tokens, passswords, private keys, environment variables - anything that should be treated as a "secret" sometimes find their way committed into source code. This can be big security problem that's difficult to unwind. Once a secret makes it into a codebase, it's visible to anyone with access to that project. Even for internal projects, this can represent a significant risk for credentials that should only be used by an individual or particular team.

There are a number of open-source tools that can help identify and mitigate leaked secrets. In particular, Yelp/detect-secrets and gitleaks/gitleaks detect hardcoded secrets in a git repo.

These tools, in conjunction with MergeStat, allow users to report on and aggregate leaked secrets across many repos in an organization.

Screenshot of Gitleaks output