Secrets & Credential Leaks
Secrets management and credential leak prevention address one of the most common and impactful security failures in modern software development. Hardcoded API keys, database passwords, cloud credentials, and private keys regularly appear in source code repositories, CI/CD configurations, container images, client-side JavaScript, and log files. Tools like TruffleHog, GitLeaks, and GitHub Secret Scanning detect exposed credentials in repositories, while vault solutions like HashiCorp Vault, AWS Secrets Manager, and cloud KMS services provide secure runtime secret injection. The impact of leaked credentials can be devastating — exposed AWS keys can lead to full cloud account compromise within minutes, and leaked database credentials can result in complete data breaches. Prevention requires secrets scanning in CI/CD pipelines, pre-commit hooks, environment-based secret injection, and credential rotation policies.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-05-08 NEW 2026 | How to mitigate secrets risk and prevent future breaches intermediate | Library for detecting and managing secrets risk in code. It details how leaks of credentials, tokens, and signing keys in open source and proprietary repositories are a growing concern, with millions exposed on platforms like GitHub and npm. The library aids in situational awareness by identifying exposed secrets, understanding their purpose, and assessing their potential impact. It emphasizes investing in advanced tooling to filter false positives and prioritize active tokens, alongside evolving development practices to mitigate risks from the design stage forward, ultimately aiming to prevent future breaches. → reversinglabs.com |
| 2026-05-06 NEW 2026 | Secrets security: The why the how and what to do about it beginner | Report detailing the epidemic of secrets exposed in software repositories, explaining how attackers exploit exposed environment variables, tokens, and keys on platforms like PyPI, npm, and GitHub, and offering guidance on mitigation strategies. It highlights the speed at which attackers find these secrets, often within seconds, and the long discovery times for security teams, referencing examples of exposed AWS credentials and discussions of defense-in-depth approaches to software supply chain security. → reversinglabs.com |
| 2026-05-05 NEW 2026 | Secrets leaks increase and expand beyond the codebase news | Library for detecting secrets leaks, focusing on increased risks beyond codebases in collaboration and project management tools like Slack, Jira, and Confluence. It highlights that secrets found in these platforms are often more critical and harder to detect than those in source code, as these tools typically lack integrated scanning capabilities. The library aims to address this gap by providing solutions for monitoring these unstructured data streams, acknowledging that traditional scanning methods optimized for code repositories are insufficient. → reversinglabs.com |
| 2026-05-04 2026 | Local Guardrails for Secrets Security in the Age of AI Coding Assistants beginner AI Supply Chain | Library for local secrets security scanning, ggshield, enables developers to detect and prevent accidental credential exposure directly within their workflows. It addresses the shifting attack surface towards developer workstations, encompassing AI coding assistants, local caches, and environment files. The tool scans project workspaces, dotfiles, build output, and agent folders to catch sensitive data before it propagates to repositories or pipelines, mitigating risks like those seen in npm, PyPI, and Docker Hub campaigns. → blog.gitguardian.com |
| 2026-05-02 2026 | Cursor AI Flaw Lets Hackers Steal API Keys and Run Code Silently news API Sec RCE | Library for securing AI-powered development tools, addressing critical vulnerabilities in Cursor AI where extensions can steal API keys and session tokens from an unencrypted SQLite database, and CVE-2026-26268 allows silent code execution via Git hooks and AI agent interactions. Researchers from LayerX and Novee discovered these flaws, emphasizing risks of financial loss, code exposure, and unauthorized access to cloud systems due to inadequate extension isolation and insecure credential storage, leaving developers at ongoing risk without a full architectural fix. |
| 2026-05-02 2026 | Shai-Hulud Hits SAP: Stolen Credentials Found in 1200 GitHub Repos news Supply Chain | Library variant of the Shai-Hulud worm targets SAP npm packages, exfiltrating developer credentials, tokens, and cloud configurations from over 2.2 million monthly downloads. The malware silently uploads this sensitive data, encrypted via AES-256-GCM and RSA-OAEP, to over 1,200 public GitHub repositories. Affected users are advised to immediately rotate keys, enforce two-factor authentication, upgrade packages, and treat compromised machines as fully breached. → ox.security |
| 2026-05-01 2026 | New software supply chain attack uses sleeper packages for credential theft and CI tampering news Supply Chain | Library for detecting sleeper packages in software supply chains that steal credentials, tamper with GitHub Actions, and establish SSH persistence. These malicious Ruby gems and Go modules, observed in campaigns attributed to "BufferZoneCorp," operate through init functions, manipulate environment variables, and place fake executables in cache directories to intercept commands and exfiltrate sensitive data like SSH keys and configuration secrets to attacker-controlled endpoints. → scworld.com |
| 2026-05-01 2026 | Supply chain attack against SAP npm packages facilitates credential theft news Supply Chain | Library that identifies a supply chain attack targeting SAP npm packages, including compromised versions like @cap-js/db-service, @cap-js/postgres, and @cap-js/sqlite. The attack, noted by Aikido Security and others, involved a pre-install script exfiltrating developer credentials, GitHub and npm tokens, cloud secrets, and Kubernetes secrets via AES-256-CGM. The payload also auto-commits to accessible GitHub repositories. → scworld.com |
| 2026-04-29 2026 | Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware news Supply Chain | Library that installs malicious preinstall scripts in SAP-related npm packages, such as `@cap-js/sqlite` and `@cap-js/postgres`, to steal developer and CI/CD secrets. The "Mini Shai Hulud" campaign, attributed to TeamPCP, uses a multi-stage payload to harvest credentials from GitHub, npm, and cloud providers, exfiltrating data via GitHub repositories. It also features browser credential theft and propagation logic. → wiz.io |
| 2026-04-28 2026 | FIRESIDE CHAT: Leaked secrets are now the go-to attack vector and AI is accelerating exposures news AI | Survey of escalating leaked secrets as attack vectors, exacerbated by AI. GitGuardian reports a 34% year-over-year jump in exposed credentials in 2025, with AI infrastructure driving the fastest-growing categories, including OpenRouter and DeepSeek API keys. The rise of AI-assisted coding, where commits co-signed by AI show significantly higher secret exposure rates, necessitates a governance-first approach to remediate this growing threat. → securityboulevard.com |
| 2026-04-28 2026 | ClickUp is leaking customer data via hardcoded API key researcher claims news API Sec | A researcher claims ClickUp is leaking customer data due to a hardcoded API key. This vulnerability could expose sensitive information. The article does not mention any specific bug bounty payout amount. → cybernews.com |
| 2026-04-28 2026 | ClickUp Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants news API Sec | A hardcoded API key in ClickUp, a popular project management tool used by Fortune 500 companies, led to the exposure of 959 client email addresses. The vulnerability, discovered by security researcher Gavin Wray, allowed unauthorized access to this sensitive data. While the content doesn't specify a bounty amount, the incident highlights the critical importance of secure coding practices and API key management, especially for platforms handling data from major corporations. → cyberpress.org |
| 2026-04-28 2026 | An open-source package with over 1 million monthly downloads has a vulnerability that has been exploited to distribute malware-infected versions and steal user credentials. news Supply Chain | Writeup of a supply chain attack on Elementary Open Source Python CLI v0.23.3, an open-source package with over one million monthly downloads. An attacker exploited a vulnerability in a developer account to distribute a malware-infected version, leading to the theft of user credentials, API tokens, and SSH keys. The affected version was quickly removed, and the developers recommend immediate uninstallation, cache clearing, credential rotation, and security team contact for affected users. |
| 2026-04-27 2026 | Claude Code is leaking API keys into public package registries news Supply Chain | Writeup on Claude Code API token leak, detailing how the AI assistant caches approved terminal commands containing sensitive credentials in `.claude/settings.local.json`. This hidden file, if not excluded from package builds, can expose API keys to public registries like npm. The vulnerability impacts various packaging ecosystems and bypasses traditional secret scanning tools, necessitating manual exclusion from `.npmignore` and `.gitignore`, or automated pipeline checks for enterprises. |
| 2026-04-22 2026 | UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours news | Writeup of UNC6426's nx npm supply-chain attack, detailing how a compromised GitHub token and an overly permissive AWS OIDC trust were exploited to gain full AWS administrator access within 72 hours. The attack involved leveraging the `nx` package, the `pull_request_target` vulnerability, and the QUIETVAULT credential stealer, with reconnaissance aided by the Nord Stream tool. Recommendations include sandboxing package managers, applying least privilege to CI/CD roles, and enforcing fine-grained PATs. → thehackernews.com |
| 2026-04-22 2026 | The State of Non-Human Identity Security (CSA Survey Report) beginner | Survey report detailing the state of non-human identity (NHI) security, including bots, API keys, and service accounts. It reveals that only 15% of organizations are highly confident in preventing NHI attacks, with major pain points in managing service accounts, auditing, and access management. The report highlights that 20% of organizations have formal processes for API key offboarding, and many use tools not purpose-built for NHIs, though investment in NHI security capabilities is increasing. |
| 2026-04-22 2026 | Secrets Management in 2026: Vault, AWS Secrets Manager, and Beyond beginner | Library for understanding 2026 secrets management trends, comparing HashiCorp Vault, AWS Secrets Manager, Doppler, and Infisical. It highlights the shift from static to dynamic secrets, the importance of identity-based access, and the role of Kubernetes operators like External Secrets Operator. The library guides selection based on factors like multi-cloud needs, AWS dependency, developer experience priorities, and self-hosting requirements. |
| 2026-04-22 2026 | GitHub Secret Scanning 2026: New Patterns, Push Protection beginner | Library for GitHub Secret Protection offers enhanced detection of leaked secrets with 28 new patterns across 15 providers, expanded push protection for 39 token types, and AI-powered generic password detection via Copilot. Available to GitHub Team plan customers at $19 per month per active committer, it includes validity checks and improved API visibility. This solution aims to prevent credential-related breaches, which cost an average of $4.88 million, by blocking pushes of sensitive information like Supabase service keys and Vercel API tokens before they reach repositories. |
| 2026-04-22 2026 | Top 10 Non-Human Identity Security Tools and Platforms for 2026 beginner | Library for detecting and preventing non-human identity (NHI) security risks, specifically addressing hardcoded API keys, overprivileged service accounts, stale OAuth tokens, and misconfigured workload identities. It offers comprehensive discovery, exposure detection across git history and CI/CD pipelines, lifecycle management, authorization and least privilege enforcement, and governance features to aid compliance with standards like SOC 2 and ISO 27001. This tool targets large DevSecOps organizations to secure complex, multi-cloud, and ephemeral workloads. → blog.gitguardian.com |
| 2026-04-22 2026 | CVE-2026-5807: HashiCorp Vault DoS via Unauthenticated Root Token Generation news | Advisory on CVE-2026-5807 detailing a denial-of-service vulnerability in HashiCorp Vault. Unauthenticated attackers can exploit this by repeatedly initiating or canceling root token generation or rekey operations, preventing legitimate users from accessing these critical functions. This flaw is resolved in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0. GitLab Dependency Scanning can detect and mitigate this specific vulnerability. → advisories.gitlab.com |
| 2026-04-22 2026 | CVE-2026-3605: HashiCorp Vault KVv2 Metadata Policy Bypass (DoS) news | Advisory for CVE-2026-3605 details a HashiCorp Vault KVv2 metadata policy bypass vulnerability. Authenticated users with specific glob policies can delete secrets outside their authorized scope, leading to a denial-of-service condition. The vulnerability does not permit cross-namespace deletion or unauthorized data reading. Patches are available in Vault Community Edition 2.0.0, Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. → advisories.gitlab.com |
| 2026-04-22 2026 | AI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service Leaks news | Report detailing GitGuardian's findings on secrets sprawl, highlighting an 81% surge in AI-service leaks and a 34% YoY increase in newly leaked secrets on GitHub due to AI adoption. The analysis covers increased risk from AI-assisted commits, emerging MCP configuration risks, expanded attack surfaces via collaboration tools and developer machines, and challenges in prioritizing and remediating long-lived secrets, underscoring the need for dedicated Non-Human Identity governance. → blog.gitguardian.com |
| 2026-04-22 2026 | HCSEC-2026-08: Vault DoS via Unauthenticated Root Token Generation news | Bulletin detailing CVE-2026-5807, a denial-of-service vulnerability in HashiCorp Vault Community and Enterprise editions up to v1.21.4. Unauthenticated attackers can exploit the `sys/rekey`, `sys/generate-root`, and `sys/rekey-recovery-key` endpoints to repeatedly initiate or cancel root token generation or rekey operations, locking out legitimate users. This issue is resolved in Vault 2.0.0. |
| 2026-04-22 2026 | HCSEC-2026-05: Vault KVv2 Metadata Policy Bypass DoS news | Writeup of CVE-2026-3605, a denial-of-service vulnerability in HashiCorp Vault KVv2. An authenticated user with specific policy configurations could delete secrets they weren't authorized for, leading to potential service disruption. This issue affected versions up to 1.21.4 and was fixed in Vault Community Edition 2.0.0 and various Vault Enterprise versions. |
| 2026-04-19 2026 | Compromised IAM Credentials Power Large AWS Crypto Mining Campaign news | Analysis of an AWS crypto mining campaign details how attackers use compromised IAM credentials, including admin-like privileges, to gain access. The multi-stage attack involves credential validation via `RunInstances` with `DryRun`, role creation for ECS and Lambda, and deployment of malicious Docker images like `yenik65958/secret:user`. Persistence is achieved using `ModifyInstanceAttribute` to disable API termination and by creating Lambda functions. This campaign highlights the sophisticated use of AWS services for illicit cryptocurrency mining and the importance of strong IAM controls, temporary credentials, MFA, and least privilege. → thehackernews.com |
| 2026-04-19 2026 | Pre-Commit Hooks for Secret Detection: Setup in 10 Minutes intermediate | Library for implementing pre-commit hooks to prevent secrets from entering Git history. It details the setup process for tools like gitleaks, detect-secrets, and TruffleHog, offering solutions for immediate detection and blocking of credential leaks. The library emphasizes catching secrets at the cheapest point in the lifecycle, preventing the need for costly history rewrites and incident response by integrating these tools seamlessly into the Git commit workflow. |
| 2026-04-19 2026 | Understanding Your Organization's Exposure to Secret Leaks — GitHub beginner | Library for assessing an organization's exposure to secret leaks, highlighting that over 39 million secrets were detected on GitHub in 2024 alone. This resource details how secrets like API keys and passwords are leaked through repository commits or misconfigurations, referencing the $4.88 million average cost of credential compromise breaches and the 2022 LastPass breach. It provides methods for quantifying risk, including inventory audits and benchmarking against OWASP ASVS and NIST guidelines, and mentions GitHub's secret risk assessment tool for enterprise customers. |
| 2026-04-19 2026 | Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025 news | Report detailing a 34% surge in exposed developer secrets during 2025, fueled by AI-assisted coding and expanded use of tools like Claude Code. GitGuardian's analysis highlights significant increases in leaked AI service credentials, including DeepSeek API keys, and identifies internal repositories as a six-fold greater risk. The report also notes that 28% of exposures occur outside code in platforms like Slack and Jira, with 64% of discovered secrets remaining unrevoked. |
| 2026-04-19 2026 | GitHub Found 39M Secret Leaks in 2024 — The GitHub Blog news | Library for GitHub Advanced Security, featuring Secret Protection and Code Security, addresses the pervasive issue of exposed secrets, which led to 39 million leaks on GitHub in 2024. It emphasizes built-in push protection for public repositories and introduces affordable standalone products and a free point-in-time scan for organizations to identify and manage secret exposures effectively, partnering with vendors like AWS and Google Cloud Platform to enhance detection accuracy. → github.blog |
| 2026-04-18 2026 | Product showcase: Stop secrets from leaking through AI coding tools with GitGuardian beginner | Library extending ggshield with hook-based secret scanning for AI coding tools like Cursor and GitHub Copilot. This solution detects secrets in prompts and AI agent actions before they are sent to models or executed, providing real-time, preventive control for organizations to mitigate sensitive data exposure in AI workflows, addressing a critical blind spot in current security programs and complementing existing repository and CI pipeline scanning efforts. → helpnetsecurity.com |
| 2026-04-17 2026 | Non-human identities: What they are and how to secure them (Netwrix) beginner | Guide to non-human identities (NHIs) and their security, detailing service accounts, API keys, managed identities, OAuth tokens, and cloud workload identities. The article highlights how these entities, lacking human oversight, MFA, and clear ownership, pose significant security risks, contributing to account compromises. It discusses authentication methods like token-based, key-based, certificate-based, and workload identity federation, emphasizing the absence of MFA as a critical vulnerability. Best practices, such as migrating to gMSAs for service accounts and addressing challenges with vendor-managed NHIs and token lifespans, are also covered, referencing the Netwrix 2025 Cybersecurity Trends Report. |
| 2026-04-17 2026 | What Are Non-Human Identities? Complete NHI Security Guide 2025 beginner | Guide to Non-Human Identities (NHIs) covering their distinction from human accounts, their proliferation in modern organizations, and the five core characteristics that define them: built for automation, identity encoded in names, purpose-built design, operating in networks, and persistence without oversight. It details common NHI types including service accounts, API keys and tokens, machine identities and certificates, bots and automated agents, and application identities, emphasizing their critical role in security due to high privileges and continuous operation. |
| 2026-04-17 2026 | TruffleHog: Deep Dive on Secret Management (Jit) intermediate | Library for detecting hardcoded secrets in code. TruffleHog uses hundreds of patterns and strings to identify exposed credentials for services like AWS, GCP, and Azure, and integrates with tools like Slack and Stripe. It offers automation via pre-commit hooks and GitHub Actions, remote scanning capabilities, customizable rules, and secret verification by making API calls. The library also assists in remediating exposed secrets by providing guidance on rotating credentials and cleaning Git history using tools like BFG Repo-Cleaner. |
| 2026-04-17 2026 | TruffleHog Open Source v3 vs GitGuardian beginner | Library comparing TruffleHog Open Source v3 and GitGuardian's code security platform for secrets detection. TruffleHog is a CLI tool for finding hardcoded secrets in repositories, while GitGuardian offers an integrated platform with automated detection, Honeytoken capabilities, alerting, incident prioritization, and remediation workflows across various version control systems. GitGuardian aims to reduce false positives through its detection engine and provides enhanced collaboration, enterprise-grade features, and dedicated support, contrasting with TruffleHog's open-source limitations in scalability and built-in functionality. |
| 2026-04-17 2026 | git-secret-scanner: Find secrets with TruffleHog & Gitleaks beginner | Tool for finding secrets in Git organizations and groups, combining TruffleHog's classification strengths with Gitleaks' broader detection capabilities. It supports GitHub and GitLab, utilizes specific tokens with required scopes, and offers features for ignoring secrets via annotations or fingerprint files, as well as baseline scanning to detect new secrets. |
| 2026-04-17 2026 | Gitleaks vs TruffleHog 2026 Benchmarks (AppSec Santa) beginner | Library for open-source secret scanning, comparing Gitleaks and TruffleHog. Gitleaks excels as a fast, pre-commit hook using regex for rapid detection within git repositories. TruffleHog offers deeper scanning across git, S3 buckets, Docker images, and Slack, featuring credential verification to confirm active leaks, making it suitable for CI/CD pipelines. Most teams utilize both tools for comprehensive secret protection. → appsecsanta.com |
| 2026-04-17 2026 | Rafter: detect-secrets vs gitleaks vs TruffleHog beginner | Library comparing `detect-secrets`, `git-secrets`, `gitleaks`, and `TruffleHog` for detecting leaked secrets. `git-secrets` is basic and AWS-focused. `detect-secrets` uses plugins and a baseline for brownfield repos, but has a higher false positive rate. `gitleaks` offers broad built-in coverage and fast scanning with 150+ rules. `TruffleHog` distinguishes itself by verifying found secrets via API calls, significantly reducing false positives by confirming active credentials. |
| 2026-04-17 2026 | SEC02-BP03 Store and use secrets securely (AWS Well-Architected) beginner | Reference detailing AWS best practices for managing application secrets, emphasizing credential removal, replacement with short-term alternatives (like IAM roles), and secure storage and rotation of remaining long-term secrets using AWS Secrets Manager. It highlights benefits such as encrypted storage, audited access, and on-demand secret distribution, while warning against common anti-patterns like embedding credentials in source code or configuration files. The document also mentions tools like Amazon CodeGuru for identifying hard-coded secrets and Lambda extensions for serverless secret retrieval. |
| 2026-04-17 2026 | AWS Secrets Manager: Secure Credential Storage & Best Practices beginner | Library for securely storing and managing sensitive data like database passwords, API keys, and OAuth tokens within AWS. It offers automatic credential rotation, fine-grained access control via AWS IAM, integration with AWS CloudTrail for monitoring, and allows applications to retrieve secrets at runtime using AWS SDKs, reducing the risk of hard-coded credentials in code, CI/CD pipelines, or Kubernetes manifests. |
| 2026-04-17 2026 | Practical steps to minimize key exposure using AWS Security (AWS) intermediate | Library for minimizing AWS key exposure, this resource details practical steps for detecting exposed and unused access keys using Amazon Q Developer and AWS IAM Access Analyzer. It emphasizes implementing preventive guardrails with Service Control Policies (SCPs) and Resource Control Policies (RCPs) to establish data perimeters and restrict credential usage to expected networks. The guide also touches upon using AWS WAF and Amazon Inspector for network-level controls and automated secret rotation for ongoing security hygiene, addressing common threat actor entry points via compromised long-term credentials. → aws.amazon.com |
| 2026-04-17 2026 | AWS API Keys / Secrets / Tokens Exposure Remediation intermediate | Guide to remediating exposed AWS API keys, secrets, and tokens, emphasizing PCI-DSS compliance. The guide details using Cyera DSPM for AI-powered discovery across EC2, Lambda, and code repositories, followed by step-by-step remediation including disabling compromised keys, updating applications, and migrating secrets to AWS Secrets Manager or Systems Manager Parameter Store. It also covers long-term prevention through automated rotation, IAM roles, and least-privilege policies. |
| 2026-04-17 2026 | Integrating HashiCorp Vault with Kubernetes for Secrets Mgmt intermediate | Library for integrating HashiCorp Vault with Kubernetes for secure secrets management. This resource details deploying Vault using Helm in a Kubernetes cluster, enabling the Kubernetes authentication method, and configuring Vault to communicate with the Kubernetes API. It covers creating roles that map Kubernetes service accounts to Vault policies, enabling the Key/Value (kv) secrets engine, and storing secrets like database passwords. The integration leverages Vault's encryption at rest, dynamic secrets generation, and fine-grained access control to overcome limitations of native Kubernetes secrets. |
| 2026-04-17 2026 | HashiCorp Vault Kubernetes: The Definitive Guide (Plural) beginner | Guide to integrating HashiCorp Vault with Kubernetes, focusing on replacing static secrets with dynamic, short-lived credentials for databases and PKI. It covers automating secret injection into pods using the Vault Agent Injector or Secrets Operator, and centralizing security policy and configuration. The guide highlights how Vault's dynamic secrets and centralized auditing significantly enhance security compared to native Kubernetes Secrets, with platforms like Plural aiding consistent deployment across fleets. |
| 2026-04-17 2026 | A Hands-On Guide to Vault in Kubernetes beginner | A Hands-On Guide to Vault in Kubernetes |
| 2026-04-17 2026 | Securing Kubernetes Secrets with HashiCorp Vault (InfraCloud) intermediate | Library for securing Kubernetes secrets with HashiCorp Vault, this resource details how to configure Vault for high availability and implement automatic unsealing using Azure Key Vault. It covers creating Azure services like Key Vault and App Registration, then demonstrates deploying Vault with its Helm chart, specifying Azure Key Vault integration for unsealing and Raft for storage. The setup aims to overcome the limitations of Kubernetes native secrets by providing a centralized and robust secret management system. |
| 2026-04-17 2026 | Manage Kubernetes native secrets with Vault Secrets Operator intermediate | Library for managing Kubernetes native secrets with HashiCorp Vault. The Vault Secrets Operator (VSO) acts as a Kubernetes operator, syncing secrets between Vault and Kubernetes native secrets in specified namespaces. It supports kv-v1 and kv-v2, TLS certificates via PKI, and static and dynamic secrets. The tutorial demonstrates installation of Vault and VSO using Helm on minikube, configuring Kubernetes authentication, KV secrets engine, and a role for accessing a static secret. |
| 2026-04-17 2026 | Secret detection (GitLab Docs) beginner | Library for detecting and preventing secrets in Git repositories. It offers "secret push protection" to block commits containing secrets, "pipeline secret detection" that scans branches within CI/CD, and "client-side secret detection" for issues and merge request comments. GitLab can automatically revoke exposed secrets and provides vulnerability reports for remediation. The "GitLab Duo" feature helps reduce false positives by analyzing findings. |
| 2026-04-17 2026 | Find secrets with GitHub secret risk assessment beginner | Tool for scanning GitHub organizations for secret leaks, providing insights into public exposures, private exposures, and token types. Available on GitHub Team and Enterprise plans starting April 1, 2025, this assessment helps identify affected repositories and the number of secrets leaked per type, offering a clear view of an organization's secret footprint without storing or sharing specific secrets. → github.blog |
| 2026-04-17 2026 | About secret scanning (GitHub Docs) beginner | Library for automatically detecting credential leaks like API keys and passwords committed to repositories. It scans Git history, issue and pull request descriptions, wikis, and gists for exposed secrets. The library generates alerts upon detection, allowing for immediate credential rotation. It supports expanding detection with non-provider and custom patterns, and includes validity checks to prioritize remediation. GitHub also partners with service providers to notify them of detected partner secrets, and offers AI-powered scanning via Copilot. |
| 2026-04-16 2026 | Do Not Use Secrets in Environment Variables beginner | Reference detailing why secrets should not be stored in environment variables, explaining risks like poor management, difficulty in rotation and auditing, lack of encryption, and leaks through frontend/backend blurring in frameworks like Next.js and Nuxt, as well as `.env` files and Docker images. It highlights the ease of access via `/proc/PID/environ` and the exposure in process lists, proposing better secrets management solutions. |
| 2026-04-16 2026 | Environment Variables Don't Keep Secrets beginner | Library offering guidance on secure secrets management, highlighting risks of using environment variables for sensitive data like API keys and database credentials. It contrasts this with more secure alternatives such as memory-backed volumes and secrets files, referencing best practices from the CNCF Cloud Native Security Whitepaper and OWASP, including their Secrets Management and Kubernetes Cheat Sheets. The library also details methods for mitigating risks when environment variables are unavoidable, such as using secrets managers like CyberArk Conjur and injection tools like CyberArk Summon. |
| 2026-04-16 2026 | From .env to Leakage: Mishandling of Secrets by Coding Agents intermediate | Writeup detailing secret leakage risks from AI coding assistants, specifically highlighting Claude Code's automatic loading of .env files and potential for API key exposure. The analysis includes a customer incident with Cursor uploading an API key and the CEO's Claude Code committing a Gemini API key to GitHub. Public incidents involving MCP-related data exfiltration via WhatsApp and supply chain attacks are also discussed, emphasizing the need to assume all data is accessible to these agents. |
| 2026-04-16 2026 | Secret Detection in Application Security beginner | Library for detecting secrets in application security, addressing the high false positive rates of traditional regex-based scanners and the blind spots in their coverage. It emphasizes pairing secret detection with context, such as ownership, deployment location, and activity status, to enable effective prioritization and remediation. The library explores root causes of secret leaks, including cognitive load, complex pipelines, containerization, shadow IT, and the limitations of pattern matching, while highlighting the need for scalable prevention strategies and governance models. |
| 2026-04-16 2026 | 29 Million Leaked Secrets: How AI Coding Tools Are Making It Worse news | Library for securing AI agents by treating them as governed non-human identities, focusing on credential management. It addresses the 28.6 million secrets leaked in 2025, a 34% increase, driven by AI-assisted commits and multi-provider integrations across services like OpenRouter and Hugging Face. The library advocates for scoped permissions, short-lived credentials (like OAuth 2.1), event-driven rotation, and robust revocation capabilities, contrasting with insecure practices seen in Model Context Protocol configurations. → helpnetsecurity.com |
| 2026-04-16 2026 | The State of Secrets Sprawl 2026 - GitGuardian Annual Report news | Report analyzing the state of secrets sprawl in 2026, highlighting the acceleration of credential leaks driven by mainstream AI adoption. It reveals secrets are leaking 1.6x faster than developer growth, with AI-assisted commits showing significantly higher leak rates. The report details exposures beyond code repositories, impacting CI/CD runners and collaboration tools, and identifies exposed AI service secrets as a rapidly growing threat category. It also notes the prevalence of long-lived, unvalidated secrets and the challenges in remediation. |
| 2026-04-15 2026 | News alert: GitGuardian study shows AI coding tools double leak rates as 29M credentials hit GitHub news | Analysis of GitGuardian's 5th "State of Secrets Sprawl" report reveals AI coding tools doubled secret leak rates in 2025, contributing to 29 million credentials detected on GitHub. Leaks associated with AI services increased 81% YoY, while MCP configuration risks and widespread secrets sprawl across collaboration tools and developer machines expanded the attack surface. The report highlights that 64% of valid secrets from 2022 remain unrevoked, underscoring critical gaps in governance and remediation for non-human identities. → securityboulevard.com |
| 2026-04-11 2026 | Terraform Secrets Management Best Practices beginner | Library for managing secrets within Terraform configurations. It highlights best practices such as avoiding hard-coded secrets, leveraging secrets managers like AWS Secrets Manager, and utilizing the `sensitive` flag for outputs. The library also details how Terraform states and plans can expose sensitive data and introduces ephemeral resources as a mechanism to fetch secrets without persisting them in the state file. → blog.gitguardian.com |
| 2026-04-11 2026 | AWS IAM Roles Anywhere Workload Identities intermediate | Guide to AWS IAM Roles Anywhere workload identity mapping, explaining how certificates with Subject (CN, FQDN, hostname) or SPIFFE identities are used to obtain temporary credentials. It details how certificate fields like Subject, Issuer, and Subject Alternative Name (SAN) are extracted and mapped to PrincipalTags (e.g., `aws:PrincipalTag/x509Subject/CN`, `aws:PrincipalTag/x509Issuer/O`, `aws:PrincipalTag/x509SAN/DNS`) for use in resource policies, allowing direct identity association with compute instances. |
| 2026-04-11 2026 | External Secrets Operator: Introduction beginner | External Secrets Operator: Introduction |
| 2026-04-11 2026 | Google Cloud SIEM Service Account Token Leak news | Writeup of a Google Security Operations vulnerability (TRA-2025-52) allowing SIEM tenant service account token leakage. Manipulation of the API root parameter in custom integrations forced job execution through a code path that exposed the highly privileged cloud-platform scoped service account access token to an attacker-controlled server. This enabled privilege escalation and unauthorized actions within the Google Cloud project. → tenable.com |
| 2026-04-11 2026 | Secret Rotation: How It Works beginner | Library detailing automatic secret rotation, explaining its importance in reducing vulnerability to compromised credentials and insider threats. It covers rotation conditions, revocation, new secret generation and validation, application across systems like Kubernetes, and types of secrets such as passwords, API keys, SSH keys, and encryption keys. The library also discusses challenges in large-scale implementation and highlights secret management solutions like HashiCorp Vault and StrongDM for automated rotation. |
| 2026-04-11 2026 | Secret Auto Rotation with Secrets Store CSI Driver intermediate | Library for automatic secret rotation within Kubernetes pods, enhancing security by periodically updating mounted secrets and Kubernetes Secrets when changes occur in external stores. This feature leverages the CSI RequiresRepublish mechanism and the `--enable-secret-rotation=true` flag for the Secrets Store CSI Driver, removing the need for privileged RBAC permissions. The driver supports applications reading secrets from mounted volumes or container filesystems, with pods needing restarts or tools like Reloader for environment variable updates. This alpha feature, configurable via Helm or command-line flags, relies on providers implementing a gRPC server for communication. |
| 2026-04-11 2026 | Secretless GitHub Actions to AWS via OIDC intermediate | Reference detailing secretless connections from GitHub Actions to AWS via OpenID Connect (OIDC). This guide explains how to configure GitHub Actions to generate OIDC JWTs, which can then be used to establish trust relationships with AWS IAM roles. It covers creating an OIDC provider in AWS, setting up trust policies with conditions like `StringEquals` on `token.actions.githubusercontent.com:sub` and `token.actions.githubusercontent.com:aud`, and granting necessary permissions. The article provides examples using AWS CDK and Terraform for infrastructure setup, alongside a sample GitHub workflow leveraging the `aws-actions/configure-aws-credentials` action. |
| 2026-04-11 2026 | OIDC Security Hardening for GitHub Actions intermediate | Reference for hardening GitHub Actions security using OpenID Connect (OIDC). This guide details how workflows can leverage OIDC to obtain short-lived access tokens from cloud providers like AWS, Azure, GCP, and HashiCorp Vault, eliminating the need for long-lived secrets. It explains configuring OIDC trust, requesting tokens, and using custom repository properties as claims for attribute-based access control, enhancing authentication and authorization management. Dependabot is also covered, demonstrating its ability to use OIDC for private registry authentication. |
| 2026-04-11 2026 | Hardening HashiCorp Vault Best Practices intermediate | Reference for hardening HashiCorp Vault in production, detailing techniques like TLS and mTLS configuration, firewall rules, and operational security practices such as using dedicated service accounts, minimal write privileges, disabling core dumps and swap, and implementing least privilege access control. It also covers additional considerations like avoiding root tokens, utilizing short-lived TTLs, robust audit logging with redundancy via file and syslog, and secure handling of credentials, emphasizing regular updates and patches for vulnerability mitigation. |
| 2026-04-11 2026 | HashiCorp Vault Production Hardening Guide intermediate | Library providing best practices for hardening HashiCorp Vault production deployments, emphasizing defense in depth. Recommendations include running Vault as an unprivileged user, allowing minimal write privileges, enabling end-to-end TLS with HSTS, disabling swap and core dumps, using single tenancy, firewalling traffic, avoiding root tokens, configuring user lockout, enabling audit device logs, managing log files, disabling shell command history, maintaining frequent upgrades, synchronizing clocks, restricting storage access, avoiding clear-text credentials with platform-specific identity solutions, using the safest TLS algorithms, following plugin best practices, ensuring consistent configuration file merging, applying correct filesystem permissions, and using standard input for Vault secrets. |
| 2026-04-11 2026 | Leaked Env Variables Allow Large-Scale Cloud Extortion news | Writeup of a cloud extortion campaign that successfully compromised and ransomed data by leveraging exposed environment variable files (.env). The campaign exploited credentials found in .env files, coupled with long-lived credentials and a lack of least privilege architecture, to gain initial access to victim AWS environments. Attackers utilized Tor, VPNs, and VPS endpoints for reconnaissance, lateral movement, and data exfiltration, targeting services like IAM, STS, S3, and SES. → unit42.paloaltonetworks.com |
| 2026-04-11 2026 | CVE-2025-68429: Storybook .env Secrets Exposure news | Library CVE-2025-68429 details a .env secrets exposure vulnerability in Storybook. Versions prior to 7.6.21, 8.6.15, 9.1.17, and 10.1.10 can inadvertently bundle environment variables from .env files into build artifacts. If a built Storybook is published online, these variables become publicly viewable. Vulnerable projects typically build Storybook in a directory containing a .env file and publish the output. Users should upgrade to a patched version and audit for sensitive secrets in .env files, rotating affected keys and adjusting variable handling by prefixing with STORYBOOK_ or using the env property if necessary. |
| 2026-04-11 2026 | 10K Docker Images Spray Live Cloud Creds news | Analysis of 10,456 Docker images reveals over 100 companies, including a Fortune 500 firm and a major bank, inadvertently exposing live cloud credentials and API keys for AI services. Flare's research indicates that secrets are often baked into build contexts and published via informal "shadow IT" accounts, bypassing enterprise monitoring. Even after removal from images, exposed secrets frequently remain active, necessitating the use of secrets management tools and pre-push scanning. → theregister.com |
| 2026-04-11 2026 | 10,000+ Docker Hub Images Leaking Credentials news | Analysis of 10,000+ Docker Hub images reveals widespread credential and authentication key leaks affecting over 100 organizations, including a Fortune 500 company and a national bank. Researchers at Flare identified exposed secrets like OpenAI, HuggingFace, and Gemini API keys, GitHub tokens, and database credentials within container images and manifests. Common vulnerabilities stem from `.env` files and hardcoded secrets in application files, impacting cloud environments, CI/CD systems, and Git repositories. While some developers revoked keys within 48 hours, 75% of exposed secrets remained unrevoked, posing ongoing risks. → bleepingcomputer.com |
| 2026-04-11 2026 | Thousands of Secrets Exposed on Docker Hub news | Analysis of over 10,000 Docker Hub images revealed leaked production credentials, including AI LLM model keys and cloud environment access tokens, impacting over 100 organizations. This research highlights a shift to "authenticate-in" attacks rather than traditional hacking, exacerbated by shadow IT accounts and insufficient credential rotation after exposure, as seen in incidents like the Shai-Hulud NPM worm and the tj-actions/changed-files GitHub Action compromise. |
| 2026-04-11 2026 | What Happens When You Leak AWS API Keys? beginner | What Happens When You Leak AWS API Keys? |
| 2026-04-11 2026 | CloudKeys in the Air: Exposed IAM Keys Cryptojacking news | Analysis of the EleKtra-Leak campaign details automated targeting of exposed AWS IAM keys on GitHub for cryptojacking. Threat actors quickly leverage compromised credentials to launch Amazon EC2 instances for Monero mining. Researchers used a Prisma Cloud HoneyCloud project to monitor this activity, observing hundreds of EC2 instances linked to the operation. The campaign employed automated tools to scan repositories and block identified AWS accounts, with researchers countering by creating randomized, non-attributable AWS accounts with overly-permissive IAM credentials to track actor movements. → unit42.paloaltonetworks.com |
| 2026-04-11 2026 | AWS Customer Security Incidents Repository news | AWS Customer Security Incidents Repository |
| 2026-04-11 2026 | 2,622 Valid Certificates Exposed: Google-GitGuardian Study news | Survey of X.509 certificate leaks mapping over 40,000 private keys to TLS certificates, revealing 2,600 valid certificates at risk. The GitGuardian and Google study highlights a critical misunderstanding of private key risks, with many organizations failing to revoke exposed certificates after disclosure campaigns. Techniques used included Certificate Transparency log analysis and OSINT for attribution, uncovering systemic failures in key management and revocation processes across Fortune 500 companies, healthcare providers, and government agencies. → blog.gitguardian.com |
| 2026-04-11 2026 | 8000+ ChatGPT API Keys Exposed on GitHub news | Analysis of over 8,000 exposed ChatGPT API keys found on GitHub and live websites highlights a critical security gap in AI integration. Cyble Research and Intelligence Labs discovered thousands of hardcoded keys in public GitHub repositories and nearly 3,000 production websites leaking credentials in client-side JavaScript. These exposures, often due to rapid development practices and treating API keys as configuration values, allow immediate abuse for high-volume inference, phishing, malware development, and billing account draining, underscoring that tokens are the new passwords and current security discipline lags behind AI adoption. → thecyberexpress.com |
| 2026-04-11 2026 | Secret Scanning in CI Pipelines using Gitleaks intermediate | Tool for integrating Gitleaks into GitLab CI pipelines for secret scanning. It details setting up a CI job to run Gitleaks against the OWASP Juice Shop application, demonstrating how to detect and prevent secret leaks like API keys, usernames, and secret keys from being committed. The entry also mentions the use of Git hooks as a pre-commit security measure. |
| 2026-04-11 2026 | Add a Local Gitleaks Pre-Commit Hook intermediate | Library for a local Gitleaks pre-commit hook that prevents accidental secrets from entering Git history. It utilizes files within `.git/` for a fast, easily removable safety net, supporting custom configurations via `.gitleaks.toml` and optional team-wide enforcement with Lefthook or GitHub Actions. |
| 2026-04-11 2026 | GitHub Comments Leak Live API Keys news | Tool update. TruffleHog now scans GitHub issues, pull requests, and comments, revealing thousands of live API keys and passwords accidentally posted by human users. Many leakers have no association with the repository, and edited comments can still expose secrets in their history. Secrets are primarily found in plain text, not code blocks, and repositories with commented secrets often also have secrets within their git history. → trufflesecurity.com |
| 2026-04-11 2026 | Secret Scanning Encoded and Archived Data intermediate | Library for automated secret scanning, TruffleHog detects sensitive data within various encoded string formats like Base64, UTF-8, UTF-16, and Escaped Unicode. It also supports scanning archived files, including Unix archives, Debian packages, RPM, CPIO, and common formats such as .zip, .tar, and .gz, efficiently uncovering secrets hidden within compressed data. → trufflesecurity.com |
| 2026-04-11 2026 | How TruffleHog Verifies Secrets intermediate | Library detailing how TruffleHog verifies secrets, moving beyond simple entropy and regex checks. It explains the challenges in programmatically confirming API key validity by testing various endpoints like Doppler's `/v3/me`, handling diverse HTTP responses (including rate limits and error codes), and adapting to API changes and new key types. The library also covers complex verification for database credentials and emphasizes the community's role in maintaining TruffleHog's accuracy and low false-positive rates. → trufflesecurity.com |
| 2026-04-10 2026 | Secret Scanner Comparison: Finding Your Best Tool beginner | Secret Scanner Comparison: Finding Your Best Tool |
| 2026-04-10 2026 | 6 Effective Secret Scanning Tools beginner | Library for automated secret scanning that identifies and protects sensitive information like API keys and database credentials exposed in codebases, logs, or configuration files. It supports detection of various secret types, integrates with development workflows and CI/CD pipelines for early vulnerability detection, and provides actionable remediation insights. Specific tools mentioned include Legit Security, GitGuardian, AWS Secrets Manager, TruffleHog, Doppler, and GitLeaks. |
| 2026-04-10 2026 | Top 8 Git Secrets Scanners in 2026 beginner | Library of eight Git secrets scanners, including Jit, Gitleaks, GitGuardian, HawkScan, AWS Git Secrets Scanner, Spectral, Trufflehog, and GitHub Secret Scanning, designed to detect and neutralize exposed sensitive data like API keys and credentials within code repositories. These tools employ pattern-based and ML detection, custom rules, historical and pre-commit scanning, CI/CD integration, and remediation guidance to prevent data breaches and unauthorized access by shifting security left in the development lifecycle. |
| 2026-04-10 2026 | 8 Best Secret Scanning Tools (2026) beginner | Library for detecting hardcoded credentials, API keys, and tokens. It highlights tools like Gitleaks for pre-commit blocking, TruffleHog for live credential verification, and detect-secrets for legacy codebases. GitGuardian is noted as a leading managed platform, offering real-time monitoring and collaboration tool scanning. The library emphasizes the importance of early detection to prevent data breaches and account takeovers, contrasting the cost of pre-commit remediation with post-commit incident response. → appsecsanta.com |
| 2026-04-10 2026 | Best Secret Scanning Tools in 2025 beginner | Library for detecting hard-coded secrets in code, configurations, and cloud infrastructure. It utilizes pattern recognition, entropy checks, and AI to identify sensitive data like API keys and passwords, aiming to prevent data breaches by automating detection and remediation. Notable features include context-aware detection correlating secrets with other vulnerabilities, one-click remediation for many secret types, and integration into developer workflows via IDE extensions and pre-commit hooks. The library supports broad scanning across Git repositories, container images, and cloud environments, offering a free tier for basic use. → aikido.dev |
| 2026-04-10 2026 | GitHub Leaked API Keys and Secrets Reference news | Reference list of GitHub search queries designed to locate hardcoded API keys and secrets. It includes specific patterns for OpenAI API keys, GitHub OAuth/App/Personal/Refresh Access Tokens, Slack Tokens, Google API keys, Square OAuth/access tokens, and Shopify secrets. The queries utilize file path extensions and keyword combinations to filter results effectively. |
| 2026-04-10 2026 | 23.8 Million Secrets Leaked on GitHub: The Case for Expiring Credentials news | Library for managing secrets; addresses the persistence problem where leaked credentials remain active due to lack of revocation, as seen in the 23.8 million secrets found on GitHub, impacting collaboration tools like Slack and Jira, private repositories, and even increasing with AI assistants like GitHub Copilot. This library focuses on built-in expiration for shared credentials, offering a solution beyond traditional secrets managers like HashiCorp Vault or AWS Secrets Manager. |
| 2026-04-10 2026 | GitHub is Awash with Leaked AI Company Secrets news | Survey of leaked AI company secrets on GitHub by Wiz reveals that 65% of examined companies exposed sensitive data like API keys and tokens. Leaks were found in deleted forks, gists, and developer repositories, potentially exposing organizational structures, training data, or private models. Companies like Anthropic and ElevenLabs were affected, with plaintext API keys and HuggingFace tokens for private models discovered. This research highlights significant security risks, with Palo Alto Networks data showing AI data security incidents doubling. Wiz recommends proactive secret scanning and establishing clear disclosure channels. |
| 2026-04-10 2026 | The State of Secrets Sprawl 2026: AI-Service Leaks Surge 81% news | Report detailing the surge in hardcoded secrets on public GitHub, with AI service leaks increasing 81% and LLM infrastructure leaking 5x faster than core model providers. The analysis highlights insecure patterns in MCP configuration guides, the significant risk of secrets in internal repositories and collaboration tools like Slack and Jira, and the expanding attack surface of developer workstations and CI/CD runners due to AI agents. It also emphasizes the persistent issue of un-remediated valid secrets and the critical need for robust Non-Human Identity (NHI) governance. → blog.gitguardian.com |
| 2026-04-10 2026 | State of Secrets Sprawl Report 2025 news | Report analyzing secrets sprawl in 2024, revealing 4.61% of public repositories contained secrets and 31% of breaches involved stolen credentials. GitGuardian's AI identifies more generic secrets than GitHub's Push Protection, which struggles with keys like MySQL and MongoDB credentials. Private repositories are nine times more likely to leak secrets, with widespread exposures found in Slack, Jira, and Confluence. Leaked secrets include AWS IAM, Slack webhooks, and Azure AD API keys, highlighting risks from misconfigurations, non-human identities, and AI tools like GitHub Copilot. Artifactory token leaks and AWS S3 ransomware attacks demonstrate the severe supply chain and operational impact of exposed credentials. |
| 2026-04-10 2026 | AI Frenzy Feeds Credential Chaos news | Report from GitGuardian on secrets sprawl reveals 28.65 million hardcoded secrets in public GitHub commits in 2025, with exposure extending to internal repositories, collaboration platforms like Slack and Jira, and self-hosted infrastructure. AI development workflows introduce new credentials for model providers and agent frameworks, contributing to the rise in leaked secrets across code and configuration files. Many exposed credentials remain valid for years, complicating remediation efforts and widening the attack surface. → helpnetsecurity.com |
| 2026-04-10 2026 | GitHub Secret Leaks: 13 Million API Credentials in Public Repos news | GitHub Secret Leaks: 13 Million API Credentials in Public Repos |
| 2026-04-10 2026 | Best Secret Scanning Tools For 2026 beginner | Library from SentinelOne scans code repositories for over 750 types of hardcoded secrets, including API keys and cloud tokens, preventing leakage and unauthorized access. It integrates into CI/CD pipelines, supports GitHub, GitLab, and BitBucket, and offers agentless vulnerability scanning with over 1,000 rules. Its CNAPP capabilities include Cloud Security Posture Management, Cloud Workload Security with AI-powered runtime protection, and Cloud Infrastructure Entitlement Management for tightening permissions and reducing alert fatigue. → sentinelone.com |
| 2026-04-10 2026 | 29 Million Secrets Leaked: AI Coding Tools Making It Worse news | Library for detecting hardcoded secrets in code, especially concerning AI coding assistants like Copilot and Claude Code. The GitGuardian 2026 State of Secrets Sprawl report highlights a 34% increase in leaked secrets, with AI-generated code exhibiting a 3.2% secrets leak rate, double that of human-only commits. The library integrates with tools like gitleaks and detect-secrets for pre-commit hooks and CI/CD scanning, and emphasizes .gitignore configurations, secrets vault integration with AWS Secrets Manager and HashiCorp Vault, AI tool configuration audits, and secret rotation policies. |
| 2026-04-10 2026 | The State of Secrets Sprawl 2026: 9 Takeaways for CISOs news | Library of insights from GitGuardian's State of Secrets Sprawl 2026 report detailing the accelerating growth of hardcoded secrets, with 29 million uncovered in 2025. The analysis highlights AI's impact, the 6x higher leak rate in internal repositories, and secrets found outside code in tools like Slack and Jira. It notes the continued validity of leaked secrets and the emergence of developer endpoints as credential aggregation layers, emphasizing the need for non-human identity governance over simple detection. → thehackernews.com |
| 2026-04-10 2026 | The State of Secrets Sprawl 2025 news | Report on the State of Secrets Sprawl 2025 details a significant increase in leaked secrets, with 23.8 million found on public GitHub in 2024, a 25% rise. Generic secrets comprise 58% of leaks, and a troubling 70% of secrets from 2022 remain active, expanding the attack surface. The report highlights that 35% of private repositories also contain secrets, including AWS IAM keys and hardcoded passwords, and secrets are prevalent across the SDLC in tools like Jira and Slack. The U.S. Treasury Department's BeyondTrust breach illustrates the real-world impact of exposed credentials. → blog.gitguardian.com |
| 2026-04-10 2026 | The Complete 2026 Secrets Management Guide beginner | Reference for secrets management, detailing techniques like SOPS with age for encrypted Git commits and Infisical for team-scale self-hosting. It highlights strategies to combat "Secrets Sprawl," including least privilege access, automated rotation, and embedding secrets scanning with tools like Gitleaks in pre-commit hooks and CI/CD pipelines, while warning against plaintext storage, shared super accounts, and unexpiring tokens. |
| 2026-04-08 2026 | AI coding assistants twice as likely to leak secrets as overall leaks rise 34% news | Library detailing the rise of leaked secrets, which saw a 34% increase overall and an 81% surge tied to AI services according to GitGuardian’s State of Secrets Sprawl 2026 report. The report highlighted AI coding assistants are twice as likely to leak secrets. It also referenced the Shai-Hulud supply chain attack in late 2025, which exposed nearly 300,000 secret occurrences on developer machines. A specific incident involved Cursor, an AI coding agent running Claude Opus, deleting PocketOS’s production database and backups. → scworld.com |
| 2026-04-06 2026 | Secure Code Scanning: Basics & Best Practices beginner | Library for secure code scanning, a practice vital for identifying and resolving security flaws, code smells, and data privacy risks across first-party code, third-party libraries, and container images. It leverages techniques like flow-based analysis and pattern matching to detect vulnerabilities such as SQL injection and RCE, citing real-world examples like the MOVEit Transfer and Ollama (CVE-2024-37032) incidents. The library aids in preventing costly data breaches by integrating security into the SDLC and offers Software Composition Analysis (SCA) to manage dependencies and licenses. → wiz.io |
| 2026-04-06 2026 | Zen AI Pentest GitHub Action intermediate | Library for an AI-powered penetration testing framework that integrates with GitHub Actions. It executes real security tools like Nmap, Nuclei, and SQLMap within isolated Docker sandboxes, employing safety controls such as private IP blocking and resource limits. The framework features a ReAct pattern with a state machine, memory system, and multi-agent collaboration for automated tool selection, execution, and self-correction, generating comprehensive PDF, HTML, and DOCX reports with evidence collection and chain of custody. |
| 2026-04-06 2026 | Shift Left Security That Developers Actually Keep Enabled beginner | Library for architecting security checks into CI/CD pipelines based on speed and false positive rates. This framework assigns checks to stages like pre-commit (under 30s), PR checks (under 2m), and merge gates (under 5m) to maintain developer velocity. It recommends secret scanning and targeted SAST for pre-commit, functional security tests and dependency scanning for PR checks, and broad SAST and container scanning for merge gates, with async tasks for remaining checks. |
| 2026-04-06 2026 | CERT-EU Confirms Trivy Supply Chain Attack Led to Credential Exposure news | CERT-EU Confirms Trivy Supply Chain Attack Led to Credential Exposure → cybersecuritynews.com |
| 2026-04-06 2026 | The Claude Code Security Checklist: What the Source Code Reveals intermediate | Library for auditing AI coding assistants, particularly Claude Code, by analyzing its leaked source code. The library details specific security controls organizations should verify, covering aspects like discovering all AI deployments, auditing `.mcp.json` files for MCP server connections, bounding bash tool scope, testing path traversal defenses against various attack vectors, and assessing sub-agent spawning permissions. These controls, applicable to tools like Cursor and GitHub Copilot, aim to mitigate risks exposed by the source leak, such as undocumented deployments and misconfigured MCP servers granting access to sensitive data or production systems. |
| 2026-04-06 2026 | Hardcoded Secrets in AI-Generated Code: Catch Them Before They Ship intermediate | Toolset offering a defensive strategy against hardcoded secrets in AI-generated code, specifically addressing CWE-798. This approach leverages Gitleaks for pre-commit hook protection, preventing secrets from entering repositories, and TruffleHog for deep scanning of git history, S3 buckets, and CI/CD logs with credential verification. The article highlights common AI patterns for leakage, such as inline credentials, client-side bundle leaks, and un-ignored .env files, and emphasizes the importance of these tools for mitigating risks like those seen in the Moltbook incident. |
| 2026-04-03 2026 | AWS Secrets Manager vs HashiCorp Vault [2026] beginner | Comparison of AWS Secrets Manager and HashiCorp Vault analyzes their strengths and weaknesses for enterprise secret management. It highlights differences in secrets storage, access control via IAM versus Vault's policies, and ecosystem integrations. The analysis also touches on scalability, audit capabilities, and user experience, noting Vault's shift to a source-available license and the implementation complexities of both solutions, contrasting them with Infisical's developer-focused open-source alternative. |
| 2026-04-03 2026 | AWS Secrets Engine | HashiCorp Vault beginner | Library for dynamically generating AWS credentials. This secrets engine creates IAM users, assumes roles, or generates federation and session tokens based on defined Vault roles. It supports creating short-lived, time-bound credentials automatically revoked upon lease expiration, offering an alternative to static IAM user management. Configuration involves enabling the engine, setting root AWS credentials for Vault's communication, and defining Vault roles that map to AWS IAM policies and credential types. |
| 2026-04-03 2026 | Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits" news | Tool, Force Push Scanner, identifies and scans orphaned Git commits for leaked secrets, including GitHub PATs and AWS credentials. Developed by Truffle Security and Sharon Brizinov, this open-source utility leverages GH Archive data and TruffleHog scanning to uncover sensitive information like MongoDB credentials and API tokens potentially exposed in force-pushed or deleted commits, mitigating supply-chain attack risks. |
| 2026-04-03 2026 | How to Detect and Clean Up Leaked Secrets in Your Git Repositories intermediate | Guide on detecting and cleaning leaked secrets in Git repositories. It details using tools like Gitleaks and Trufflehog for detection, and BFG Repo-Cleaner for historical cleanup, emphasizing the importance of backups due to the destructive nature of history manipulation. |
| 2026-04-03 2026 | Secret Scanning Tools 2026: Protect Code and Prevent Credential Leaks beginner | Library for detecting and preventing secret leaks in code, offering continuous scanning, broad detector coverage for AWS, GCP, Azure, and internal tokens, and integration with GitHub, GitLab, and Slack. It utilizes pattern matching, entropy detection, and context-aware validation, with machine learning to reduce false positives and dedicated remediation workflows to address detected issues across the software development lifecycle. → blog.gitguardian.com |
| 2026-04-03 2026 | TruffleHog vs. Gitleaks: A Detailed Comparison intermediate | Library comparing TruffleHog and Gitleaks, popular secret scanning tools that identify hardcoded secrets like API keys and tokens within codebases and other environments. TruffleHog offers extensive scanning across S3 buckets and Docker images with advanced verification, while Gitleaks provides a lightweight, fast, and user-friendly experience focused on code repositories, excelling in CI environments. Both integrate into the SDLC to proactively detect and rectify leaked credentials, preventing unauthorized access and security breaches. |
| 2026-04-03 2026 | Why 28 Million Credentials Leaked on GitHub in 2025 | Snyk news API Sec | Library for detecting and preventing leaked secrets, including API keys, database passwords, cloud IAM credentials, and AI service keys. It addresses accidental commits to Git, insecure .env file practices, supply chain attacks via malicious packages like Shai-Hulud and compromised versions of TruffleHog, and leaks through non-code surfaces such as Slack, Jira, and Docker Hub. The library also highlights the growing risk from AI-assisted development and MCP server credentials, differentiating its secret scanning capabilities from SAST tools by emphasizing the analysis of full Git history, including deleted files. → snyk.io |
| 2026-04-03 2026 | Gitleaks - Find Secrets with Gitleaks beginner | Tool for detecting secrets like passwords, API keys, and tokens in git repos, files, and via stdin. Gitleaks supports scanning via `git`, `dir`, and `stdin` commands, and can be integrated as a pre-commit hook or GitHub action. It allows for baseline scanning to ignore old findings and custom rule configuration. |
| 2026-04-03 2026 | TruffleHog - Find, Verify, and Analyze Leaked Credentials beginner | Tool for discovering, classifying, validating, and analyzing leaked credentials. TruffleHog scans Git, Jira, Slack, Confluence, Microsoft Teams, SharePoint, S3 buckets, GCS, and Docker images for over 800 secret types, including API keys and database passwords. It can verify if secrets are live and enrich findings by determining resource access and permissions. TruffleHog includes protections against malicious Git configurations, addressing CVE-2025-41390. |
| 2026-04-03 2026 | Secrets Management - OWASP Cheat Sheet Series beginner | Cheatsheet outlining best practices for secrets management, crucial for DevOps environments. It covers high availability, centralization and standardization of secret storage, fine-grained access control based on the Least Privilege principle, and automation of secret management through pipelines, dynamic secrets, and automated rotation. Architectural patterns are illustrated with examples like Kubernetes sidecar containers for HashiCorp Vault and serverless functions for AWS Secrets Manager. → cheatsheetseries.owasp.org |
| 2026-03-02 2026 | Breaking the Trust Boundary: SSRF via a Misconfigured Sentry Tunnel intermediate SSRF | Free Article Link: Click for free! → infosecwriteups.com |
| 2026-02-02 2026 | depthfirst | 1-Click RCE To Steal Your Moltbot Data and Keys advanced AI RCE | Analysis of CVE-2026-25253 in OpenClaw details a 1-click RCE exploit achieved by chaining a logic flaw in gateway URL ingestion with Cross-Site WebSocket Hijacking (CSWSH). The vulnerability allows an attacker to steal authentication tokens, bypass localhost restrictions, disable security features like user confirmations and sandboxing via API calls, and execute arbitrary commands on the victim's machine. |
| 2025-08-24 2025 | GitHub - dele-to/dele-to: Share sensitive credentials and secrets securely with client-side AES-256 encryption, zero-knowledge architecture, and automatic self-destruction. beginner | Library for securely sharing sensitive credentials and secrets, DELE.TO employs client-side AES-256-GCM encryption and a zero-knowledge architecture, ensuring encryption keys never reach the server. It features automatic self-destruction through configurable expiration times and view limits, offering an alternative to tools like PasswordPusher and Bitwarden Send. |
| 2025-03-10 2025 | GitHub - vsec7/BurpSuite-Xkeys: A Burp Suite Extension to extract interesting strings (key, secret, token, or etc.) from a webpage. intermediate Burp | Extension for Burp Suite that passively scans webpages to extract interesting strings like keys, secrets, and tokens. It lists these findings as information issues and can be configured by adding the Python script through the Extender tab after setting up the Jython environment. The extension identifies assets and displays results in the issues box and extender output, supporting various key-value pair formats. |
| 2025-03-08 2025 | GitHub - trufflesecurity/trufflehog-burp-suite-extension: Official TruffleHog Burp Suite Extension. Scan Burp Suite traffic for 800+ different types of secrets (API keys, passwords, SSH keys, etc) using TruffleHog. intermediate Burp | Extension for Burp Suite that scans HTTP traffic for over 800 types of secrets, including API keys, passwords, and SSH keys, leveraging TruffleHog. It operates by writing traffic to temporary files and invoking TruffleHog scans every 10 seconds, reporting findings in a dedicated tab. The extension supports secret verification and can be configured to scan various Burp Suite traffic sources. |
| 2024-10-24 2024 | Cryptography — The Hitchhiker's Guide to Python beginner Python | Library for Python cryptography, offering a high-level `Fernet` symmetric encryption recipe and low-level "hazmat" primitives. Includes GPGME Python bindings for access to the GNU Privacy Guard suite, supporting encryption and decryption using GPG and S/MIME engines. Examples demonstrate generating keys, encrypting and decrypting messages, and file encryption. |
| 2024-09-11 2024 | Browser Stored Credentials beginner | Library for harvesting credentials from browsers, focusing on T1555.003. It details how modern browsers like Chrome and Edge utilize DPAPI for encrypting user credentials and outlines the file locations for storing this sensitive data. The library discusses tools like Lazagne, SharpChrome, and DonPAPI, emphasizing that detection should focus on the behavior of processes accessing credential files and the CryptUnprotectData API, rather than signature-based methods. It provides a playbook for purple teams to emulate this technique and assess SOC detection capabilities. |
| 2024-08-27 2024 | Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All news OSINT | Writeup detailing researcher Bill Demirkapi's methods for discovering thousands of hard-coded developer secrets, including API keys and credentials for entities like Nebraska's Supreme Court and Stanford University, by leveraging VirusTotal's Retrohunt feature and YARA rules. The writeup also covers his identification of 66,000 websites with dangling subdomain issues, which could lead to hijacking and other attacks, using passive DNS replication data. Demirkapi developed an automated revocation process for exposed secrets, notably with OpenAI's assistance. → wired.com |
| 2023-11-08 2023 | maxgoedjen/secretive beginner | Library for securing SSH private keys using macOS Secure Enclave and Touch ID, preventing export and enabling authenticated access. It also supports Smart Cards like YubiKeys for Macs lacking Secure Enclaves, and provides access notifications. Builds are attested via GitHub Artifact Attestation, and Secretive relies on Keychain APIs for key management, requiring consistent bundle IDs for successful access. Secrets stored in the Secure Enclave are non-exportable, necessitating recreation on new machines. |
| 2023-09-06 2023 | Results of Major Technical Investigations for Storm-0558 Key Acquisition news AuthN | Results of Major Technical Investigations for Storm-0558 Key Acquisition https://ift.tt/ikRNGrj |
| 2023-08-22 2023 | OWASP/wrongsecrets beginner | Game challenging users to find intentionally hidden secrets within code, configuration files, Docker containers, and cloud deployments. It provides over 65 real-world examples of common secrets management mistakes, including exposed credentials in Spring Boot applications, and offers online and local Docker-based setups. Advanced users can explore Kubernetes and cloud challenges, utilizing tools like Minikube and cloud accounts for practical learning. |
| 2023-08-05 2023 | How To Keep A Secret in Python Apps intermediate Python | Library for managing secrets in Python applications, emphasizing that hard-coding credentials like API keys and database passwords in source code is a major security risk. It highlights the `keyring` Python library for secure OS-native storage, the importance of threat modeling, and suggests tools like password managers, PinPal for memorization, and macOS Keychain for user-prompted secret access. The library also touches on secure CI/CD practices with GitHub Actions secrets and the fundamental need for local machine security through disk encryption. |
| 2022-03-17 2022 | Favorite tweet by @0x1shu beginner Bug Bounty | Favorite tweet: 🧙♂️Git Secrets Leaks Simplified by @sec_r0 ✨ In this flyer, you'll learn about how git works and the reason behind the git secrets leaks. Download the flyer: https://t.co/zMruBpl6c4 ... |
| 2022-01-15 2022 | Source Code Disclosure via Exposed .git Folder intermediate | Source Code Disclosure via Exposed .git Folder |
| 2021-10-14 2021 | Finding Sensitive Data Leaks In Code Using ShiftLeft CORE intermediate | Finding Sensitive Data Leaks In Code Using ShiftLeft CORE |
| 2021-10-10 2021 | New CS proposal: Avoiding password and sensitive shared data transmission #685 beginner AuthN | Cheatsheet proposal addressing secure password and sensitive data transmission by leveraging HMAC. This approach allows users to authenticate without sending passwords to the server, mitigating transmission-related attacks. The objective is to educate developers that passwords need only be handled on the client-side for authentication verification, with the server only involved during initial password setup for secure hashing and storage. This method avoids the need for server-side password processing in many use cases, referencing IETF RFC 2104. |
| 2021-09-20 2021 | TruffleHog The Chrome Extension beginner | Tool for detecting API keys and other secrets like `.git` directories and `.env` files within JavaScript code and client-side applications. It leverages permissive CORS headers from services like AWS to identify instances where credentials might be inadvertently exposed, as demonstrated by an example on weather.com. The extension can be side-loaded while awaiting review on the Google Extension Store. → trufflesecurity.com |
| 2021-08-24 2021 | The last S3 security document that well ever need and how to use it beginner | The last S3 security document that well ever need and how to use it |
| 2021-06-21 2021 | 0 : 2 Secrets Management 05202021.pptx beginner | This presentation, titled "Secrets Management," from May 20, 2021, likely covers strategies and best practices for securely managing sensitive information like API keys, passwords, and certificates within an organization. Key topics would probably include identifying what constitutes a "secret," common vulnerabilities, and methods for protecting these secrets throughout their lifecycle, from creation to rotation and eventual destruction. The goal is to prevent unauthorized access and data breaches by implementing robust secrets management solutions. No specific bug bounty payout amount is mentioned in the provided title. |
Frequently Asked Questions
- How do secrets leak into code repositories?
- Secrets commonly leak through developer mistakes: hardcoding API keys during development, committing .env files, leaving credentials in test fixtures, pasting tokens into comments, or including secrets in Docker build arguments. Even if removed in later commits, secrets persist in git history unless the repository is rewritten with tools like git-filter-repo or BFG Repo Cleaner.
- What tools detect leaked secrets?
- TruffleHog and GitLeaks scan git repositories for high-entropy strings and known credential patterns. GitHub Secret Scanning alerts on known token formats from partner services. Pre-commit hooks using detect-secrets or gitleaks can prevent commits containing secrets. For CI/CD, tools like talisman and SpectralOps provide pipeline-level scanning.
- What should you do when a secret is leaked?
- Immediately rotate the compromised credential — assume it has been captured. Revoke the old key, generate a new one, and update all systems using it. Then remove the secret from git history if it was committed. Review access logs for the compromised credential to assess if it was exploited. Finally, implement prevention measures to stop future leaks.
Weekly AppSec Digest
Get new resources delivered every Monday.