Summary
Secret detection identifies hardcoded credentials, API keys, tokens, and passwords in source code, configuration files, and version control history, preventing credential exposure and unauthorised access.
Description
Secrets — such as API keys, database passwords, private keys, tokens, and service account credentials — are frequently committed to source code repositories by accident. Once a secret is pushed to a repository, it may be exposed to anyone with access to the codebase, and if the repository is public or is later compromised, the secret can be exploited by malicious actors. Even in private repositories, secrets in version control history persist indefinitely unless explicitly purged. Secret detection tooling scans source code, configuration files, environment definitions, and commit history to identify credentials before they are merged or as soon as possible after exposure. In regulated financial services environments, exposed credentials represent a direct and material security risk, and organisations must demonstrate proactive controls to prevent and respond to credential leakage.
Requirements
- Secret detection MUST be performed against source code and configuration as part of the software development lifecycle
- Secret detection MUST be automated — manual-only review is not sufficient as a primary control
- The point(s) in the development workflow at which secret detection scans are executed MUST be defined based on development practices, risk profile, and pipeline architecture
- Pre-commit hooks or equivalent client-side checks SHOULD be provided to developers to catch secrets before they are pushed to the remote repository
- Scanning MUST cover all file types and configuration formats in the repository, including infrastructure-as-code templates, CI/CD pipeline definitions, and environment files
- Detection rulesets MUST cover, at minimum, common secret types: API keys, private keys, database connection strings, OAuth tokens, cloud provider credentials, and service account keys
- When a secret is detected, the affected credential MUST be rotated and the secret removed from the codebase. A response process for detected secrets MUST be defined and enforced, appropriate to the organisation’s risk posture
- When a previously committed secret is discovered in version control history, the affected credential MUST be rotated immediately and the secret SHOULD be purged from history where feasible
- An allowlist/exclusion process for false positives MUST be maintained, with documented justification and periodic review
- Secret detection results MUST be retained in accordance with the organisation’s record retention policy
Examples & Commentary
- Pre-commit Prevention: Deploy pre-commit hooks (e.g., using frameworks like pre-commit with secret detection plugins) so that secrets are caught on the developer’s machine before they ever reach the repository. This is the most effective point of intervention
- CI Pipeline Scanning: Run secret detection as a required status check on every pull request. If a secret is found, fail the check and provide clear guidance to the developer on how to remediate (remove the secret, rotate the credential, use a secrets manager)
- Historical Scanning: Periodically scan the full git history of repositories, not just the latest commit. Secrets committed months ago and subsequently deleted from the working tree may still be present in history and exploitable
- Custom Patterns: Supplement default detection rules with organisation-specific patterns for internal credential formats, proprietary API key prefixes, or internal service tokens
- Secrets Management Integration: Pair this control with a secrets management solution (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) and enforce that applications retrieve secrets at runtime rather than embedding them in code or configuration
- Incident Response: Define a clear process for when a secret is found: who is notified, what is the rotation timeline, and how is the exposure assessed. Treat any secret found in a public repository as compromised and rotate immediately