SEC-004 recommended Secret Security

No Secrets Committed to Git

Secret scanning in place to prevent commits and detect past leaks

Question to ask

"Has anyone actually scanned your full git history for leaks?"

What to check

  • Pre-commit hooks for secret detection (gitleaks, trufflehog)
  • GitHub secret scanning enabled
  • .gitignore covers secret patterns
  • Scan for secrets in current codebase and history

Pass criteria

  • Secret scanning tool in place (pre-commit or CI)
  • GitHub secret scanning enabled
  • .gitignore covers common secret patterns
  • No secrets in codebase or history

Related items

SEC-001 All environments behind Cloudflare GIT-016 Test results gitignored SEC-003 Cloudflare respects cache-control headers

Verification guide

Severity: Critical

Secrets must never be committed to version control. Secret scanning should be in place to prevent accidental commits and detect any past leaks.

Check automatically:

  1. Check for secret scanning tools:
# Git hooks for secret detection
ls -la .husky/pre-commit .git/hooks/pre-commit 2>/dev/null
grep -rE "gitleaks|detect-secrets|trufflehog|git-secrets" .husky/ .git/hooks/ .pre-commit-config.yaml 2>/dev/null

# GitHub secret scanning (check repo settings via API)
gh api repos/{owner}/{repo} --jq '.security_and_analysis.secret_scanning.status' 2>/dev/null

# CI-based scanning
grep -rE "gitleaks|trufflehog|detect-secrets" .github/workflows/ 2>/dev/null
  1. Check .gitignore covers secrets:
# Common secret file patterns that should be ignored
grep -E "^\.env|\.pem$|\.key$|credentials|secrets" .gitignore 2>/dev/null
  1. Scan for secrets in repo (use gitleaks or similar):
# If gitleaks is available
gitleaks detect --source . --no-git 2>/dev/null

# Basic pattern check (not comprehensive)
grep -rE "AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9]{48}|ghp_[a-zA-Z0-9]{36}" --include="*.ts" --include="*.js" --include="*.py" --include="*.json" . 2>/dev/null | grep -v node_modules
  1. Check git history for past leaks (important - secrets in history are still exposed):
# Search recent commits for secret patterns
git log --oneline -20 --all -p 2>/dev/null | grep -E "password.*=|api_key.*=|secret.*=" | head -10

Ask user:

  • "Do you have pre-commit hooks for secret detection?"
  • "Is GitHub secret scanning enabled?"
  • "Have you ever had to rotate credentials due to accidental commit?"

Cross-reference with:

  • SEC-001 (secret manager - the right way)
  • GIT-016 (no credentials in repo - related item)
  • SEC-003 (not stored on filesystem)

Pass criteria:

  • Secret scanning tool in place (pre-commit hook or CI)
  • GitHub secret scanning enabled (if using GitHub)
  • .gitignore covers common secret patterns
  • No secrets detected in current codebase or history

Fail criteria:

  • No secret scanning configured
  • Secrets found in codebase or git history
  • .gitignore doesn't cover secret files
  • History of leaked credentials without rotation

Evidence to capture:

  • Secret scanning tool in use
  • GitHub secret scanning status
  • Any secrets found (redacted)
  • Whether git history has been cleaned (if past leaks)

Section

29. Secrets Management

Code Quality & Architecture

← Previous

SEC-003

Not Stored on File System

 Next →

SEC-005

Different Secrets Per Environment