Secrets in Source Code

When API keys, passwords, or tokens are committed to a git repository — even briefly and then deleted — they remain accessible in git history permanently. Automated scanners monitor public repositories in real time.

Common secret types found in repos:

• Cloud provider keys (AWS Access Key ID, GCP service account JSON)
• Payment API keys (Stripe, PayPal, Square)
• Database connection strings with passwords
• SSH private keys, TLS certificates
• Internal API tokens and bearer tokens
• OAuth client secrets

Why deletion does not help:

# Secret committed in commit abc123
git add config.js  # File contains AWS_SECRET_KEY = "AKIA..."
git commit -m "Add config"

# Secret "deleted" in next commit
git add config.js
git commit -m "Remove API key from source"

# Key is STILL accessible:
git show abc123:config.js  # Shows the original file with the key
git log --all -p | grep "AKIA"  # Finds it in history

Within minutes of pushing to GitHub, automated tools like GitGuardian and truffleHog find and catalog the exposed secret.

Use pre-commit hooks to prevent secrets from being committed, and if a secret is exposed, rotate it immediately then clean history.

Pre-commit hook with git-secrets:

pip install detect-secrets
detect-secrets scan > .secrets.baseline
detect-secrets audit .secrets.baseline

# Add to pre-commit hook (using pre-commit framework)
# .pre-commit-config.yaml:
- repo: https://github.com/Yelp/detect-secrets
  rev: v1.4.0
  hooks:
    - id: detect-secrets
      args: ['--baseline', '.secrets.baseline']

.gitignore patterns to prevent secret files:

.env
.env.local
.env.production
*.key
*.pem
*.p12
*credentials*
secrets/
config/secrets.yml

If secrets are already committed — remediation:

1. Immediately revoke and rotate the exposed secret
2. Assume it was already harvested
3. Use BFG Repo Cleaner or git filter-repo to rewrite history
4. Force-push the cleaned history (coordinate with team)
5. Make GitHub repo private if it was public