Last updated: April 29, 2026
Why this module. Engineers commit secrets. AWS keys, API tokens, database passwords end up in Git, often in .env.example files that were supposed to have placeholders. Once committed, secrets stay in Git history forever — and within minutes attackers find them via GitHub search.
The tool stack
- git-secrets / detect-secrets / Gitleaks / TruffleHog — pre-commit hooks that block.
- GitHub Secret Scanning — free; scans public + (with Advanced Security) private repos. Auto-revokes some token types via partner notifications.
- GitLab Secret Detection — bundled with Ultimate.
- GitGuardian — best-in-class commercial; covers all CI providers.
The pre-commit pattern
# .pre-commit-config.yaml
repos:
- repo: https://github.com/zricethezav/gitleaks
rev: v8.18.0
hooks:
- id: gitleaksAdd to every repo. Devs run pre-commit install once. Subsequent commits with secrets are blocked locally.
The “we found secrets in history” remediation
- Rotate immediately. Assume the secret is compromised the moment it hits a public repo. Even private repos with broad team access.
- Don’t try to delete from history on a shared branch — it requires force-push and breaks teammates’ clones.
- For active secret types (AWS, GCP, Slack), GitHub Secret Scanning notifies the partner who auto-revokes within hours.
- Document the incident; review how the secret got committed (pre-commit hook missing, etc.); fix the gap.
What developers commit by mistake
.envfiles (should be in.gitignore; sometimes aren’t)- Test fixtures with real prod credentials (the cardinal sin)
- Printed JSON dumps with embedded keys
- Helm values files with passwords
- Terraform state files (Module 14, Cloud track)
- Kubernetes secrets (base64-encoded != encrypted)
Server-side enforcement
Pre-commit hooks rely on developer compliance. Server-side hooks (GitHub branch protection rules, GitLab push rules) ensure the rule is enforced regardless of the developer’s local setup.
Defender’s checklist
- Pre-commit hooks in every repo template.
- GitHub Secret Scanning enabled (free for public; Advanced Security for private).
- Server-side branch protection that blocks pushes containing detected secrets.
- Documented secret-rotation runbook.
- Vault / AWS Secrets Manager / Doppler for runtime secrets — never hardcoded.
- Quarterly audit: scan history of all repos for residual secrets.
Module Quiz · 6 questions
Pass with 80%+ to mark this module complete. Unlimited retries. Each question shows an explanation.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.