appsec.fyi

Secrets & Credential Leaks Resources

Post Share

A curated AppSec resource library covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

Secrets & Credential Leaks

Secrets management and credential leak prevention address one of the most common and impactful security failures in modern software development. Hardcoded API keys, database passwords, cloud credentials, and private keys regularly appear in source code repositories, CI/CD configurations, container images, client-side JavaScript, and log files. Tools like TruffleHog, GitLeaks, and GitHub Secret Scanning detect exposed credentials in repositories, while vault solutions like HashiCorp Vault, AWS Secrets Manager, and cloud KMS services provide secure runtime secret injection. The impact of leaked credentials can be devastating — exposed AWS keys can lead to full cloud account compromise within minutes, and leaked database credentials can result in complete data breaches. Prevention requires secrets scanning in CI/CD pipelines, pre-commit hooks, environment-based secret injection, and credential rotation policies.

Date Added Link Excerpt
2026-04-22 NEW 2026UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 HoursUNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours
2026-04-22 NEW 2026The State of Non-Human Identity Security (CSA Survey Report)The State of Non-Human Identity Security (CSA Survey Report)
2026-04-22 NEW 2026Secrets Management in 2026: Vault, AWS Secrets Manager, and BeyondSecrets Management in 2026: Vault, AWS Secrets Manager, and Beyond
2026-04-22 NEW 2026GitHub Secret Scanning 2026: New Patterns, Push ProtectionGitHub Secret Scanning 2026: New Patterns, Push Protection
2026-04-22 NEW 2026Top 10 Non-Human Identity Security Tools and Platforms for 2026Top 10 Non-Human Identity Security Tools and Platforms for 2026
2026-04-22 NEW 2026CVE-2026-5807: HashiCorp Vault DoS via Unauthenticated Root Token GenerationCVE-2026-5807: HashiCorp Vault DoS via Unauthenticated Root Token Generation
2026-04-22 NEW 2026CVE-2026-3605: HashiCorp Vault KVv2 Metadata Policy Bypass (DoS)CVE-2026-3605: HashiCorp Vault KVv2 Metadata Policy Bypass (DoS)
2026-04-22 NEW 2026AI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service LeaksAI Is Fueling Secrets Sprawl: GitGuardian Reports 81% Surge of AI-Service Leaks
2026-04-22 NEW 2026HCSEC-2026-08: Vault DoS via Unauthenticated Root Token GenerationHCSEC-2026-08: Vault DoS via Unauthenticated Root Token Generation
2026-04-22 NEW 2026HCSEC-2026-05: Vault KVv2 Metadata Policy Bypass DoSHCSEC-2026-05: Vault KVv2 Metadata Policy Bypass DoS
2026-04-19 NEW 2026Compromised IAM Credentials Power Large AWS Crypto Mining CampaignCompromised IAM Credentials Power Large AWS Crypto Mining Campaign
2026-04-19 NEW 2026Pre-Commit Hooks for Secret Detection: Setup in 10 MinutesPre-Commit Hooks for Secret Detection: Setup in 10 Minutes
2026-04-19 NEW 2026Understanding Your Organization's Exposure to Secret Leaks — GitHubUnderstanding Your Organization's Exposure to Secret Leaks — GitHub
2026-04-19 NEW 2026Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025
2026-04-19 NEW 2026GitHub Found 39M Secret Leaks in 2024 — The GitHub BlogGitHub Found 39M Secret Leaks in 2024 — The GitHub Blog
2026-04-17 NEW 2026Non-human identities: What they are and how to secure them (Netwrix)Non-human identities: What they are and how to secure them (Netwrix)
2026-04-17 NEW 2026Top non-human identity (NHI) platforms of 2025 (Doppler)Top non-human identity (NHI) platforms of 2025 (Doppler)
2026-04-17 NEW 2026What Are Non-Human Identities? Complete NHI Security Guide 2025What Are Non-Human Identities? Complete NHI Security Guide 2025
2026-04-17 NEW 2026TruffleHog: Deep Dive on Secret Management (Jit)TruffleHog: Deep Dive on Secret Management (Jit)
2026-04-17 NEW 2026TruffleHog Open Source v3 vs GitGuardianTruffleHog Open Source v3 vs GitGuardian
2026-04-17 NEW 2026git-secret-scanner: Find secrets with TruffleHog & Gitleaksgit-secret-scanner: Find secrets with TruffleHog & Gitleaks
2026-04-17 NEW 2026Gitleaks vs TruffleHog 2026 Benchmarks (AppSec Santa)Gitleaks vs TruffleHog 2026 Benchmarks (AppSec Santa)
2026-04-17 NEW 2026Rafter: detect-secrets vs gitleaks vs TruffleHogRafter: detect-secrets vs gitleaks vs TruffleHog
2026-04-17 NEW 2026SEC02-BP03 Store and use secrets securely (AWS Well-Architected)SEC02-BP03 Store and use secrets securely (AWS Well-Architected)
2026-04-17 NEW 2026AWS Secrets Manager: Secure Credential Storage & Best PracticesAWS Secrets Manager: Secure Credential Storage & Best Practices
2026-04-17 NEW 2026Practical steps to minimize key exposure using AWS Security (AWS)Practical steps to minimize key exposure using AWS Security (AWS)
2026-04-17 NEW 2026AWS API Keys / Secrets / Tokens Exposure RemediationAWS API Keys / Secrets / Tokens Exposure Remediation
2026-04-17 NEW 2026Integrating HashiCorp Vault with Kubernetes for Secrets MgmtIntegrating HashiCorp Vault with Kubernetes for Secrets Mgmt
2026-04-17 NEW 2026HashiCorp Vault Kubernetes: The Definitive Guide (Plural)HashiCorp Vault Kubernetes: The Definitive Guide (Plural)
2026-04-17 NEW 2026A Hands-On Guide to Vault in KubernetesA Hands-On Guide to Vault in Kubernetes
2026-04-17 NEW 2026Securing Kubernetes Secrets with HashiCorp Vault (InfraCloud)Securing Kubernetes Secrets with HashiCorp Vault (InfraCloud)
2026-04-17 NEW 2026Manage Kubernetes native secrets with Vault Secrets OperatorManage Kubernetes native secrets with Vault Secrets Operator
2026-04-17 NEW 2026Secret detection (GitLab Docs)Secret detection (GitLab Docs)
2026-04-17 NEW 2026Find secrets with GitHub secret risk assessmentFind secrets with GitHub secret risk assessment
2026-04-17 NEW 2026About secret scanning (GitHub Docs)About secret scanning (GitHub Docs)
2026-04-16 NEW 2026Do Not Use Secrets in Environment VariablesDo Not Use Secrets in Environment Variables
2026-04-16 NEW 2026Environment Variables Don't Keep SecretsEnvironment Variables Don't Keep Secrets
2026-04-16 NEW 2026From .env to Leakage: Mishandling of Secrets by Coding AgentsFrom .env to Leakage: Mishandling of Secrets by Coding Agents
2026-04-16 NEW 2026Secret Detection in Application SecuritySecret Detection in Application Security
2026-04-16 NEW 202629 Million Leaked Secrets: How AI Coding Tools Are Making It Worse29 Million Leaked Secrets: How AI Coding Tools Are Making It Worse
2026-04-16 NEW 2026The State of Secrets Sprawl 2026 - GitGuardian Annual ReportThe State of Secrets Sprawl 2026 - GitGuardian Annual Report
2026-04-11 2026Terraform Secrets Management Best PracticesTerraform Secrets Management Best Practices
2026-04-11 2026AWS IAM Roles Anywhere Workload IdentitiesAWS IAM Roles Anywhere Workload Identities
2026-04-11 2026External Secrets Operator: IntroductionExternal Secrets Operator: Introduction
2026-04-11 2026Google Cloud SIEM Service Account Token LeakGoogle Cloud SIEM Service Account Token Leak
2026-04-11 2026Secret Rotation: How It WorksSecret Rotation: How It Works
2026-04-11 2026Secret Auto Rotation with Secrets Store CSI DriverSecret Auto Rotation with Secrets Store CSI Driver
2026-04-11 2026Secretless GitHub Actions to AWS via OIDCSecretless GitHub Actions to AWS via OIDC
2026-04-11 2026OIDC Security Hardening for GitHub ActionsOIDC Security Hardening for GitHub Actions
2026-04-11 2026Hardening HashiCorp Vault Best PracticesHardening HashiCorp Vault Best Practices
2026-04-11 2026HashiCorp Vault Production Hardening GuideHashiCorp Vault Production Hardening Guide
2026-04-11 2026Leaked Env Variables Allow Large-Scale Cloud ExtortionLeaked Env Variables Allow Large-Scale Cloud Extortion
2026-04-11 2026CVE-2025-68429: Storybook .env Secrets ExposureCVE-2025-68429: Storybook .env Secrets Exposure
2026-04-11 202610K Docker Images Spray Live Cloud Creds10K Docker Images Spray Live Cloud Creds
2026-04-11 202610,000+ Docker Hub Images Leaking Credentials10,000+ Docker Hub Images Leaking Credentials
2026-04-11 2026Thousands of Secrets Exposed on Docker HubThousands of Secrets Exposed on Docker Hub
2026-04-11 2026What Happens When You Leak AWS API Keys?What Happens When You Leak AWS API Keys?
2026-04-11 2026CloudKeys in the Air: Exposed IAM Keys CryptojackingCloudKeys in the Air: Exposed IAM Keys Cryptojacking
2026-04-11 2026AWS Customer Security Incidents RepositoryAWS Customer Security Incidents Repository
2026-04-11 20262,622 Valid Certificates Exposed: Google-GitGuardian Study2,622 Valid Certificates Exposed: Google-GitGuardian Study
2026-04-11 20268000+ ChatGPT API Keys Exposed on GitHub8000+ ChatGPT API Keys Exposed on GitHub
2026-04-11 2026Secret Scanning in CI Pipelines using GitleaksSecret Scanning in CI Pipelines using Gitleaks
2026-04-11 2026Add a Local Gitleaks Pre-Commit HookAdd a Local Gitleaks Pre-Commit Hook
2026-04-11 2026GitHub Comments Leak Live API KeysGitHub Comments Leak Live API Keys
2026-04-11 2026Secret Scanning Encoded and Archived DataSecret Scanning Encoded and Archived Data
2026-04-11 2026How TruffleHog Verifies SecretsHow TruffleHog Verifies Secrets
2026-04-10 2026Secret Scanner Comparison: Finding Your Best ToolSecret Scanner Comparison: Finding Your Best Tool
2026-04-10 20266 Effective Secret Scanning Tools6 Effective Secret Scanning Tools
2026-04-10 2026Top 8 Git Secrets Scanners in 2026Top 8 Git Secrets Scanners in 2026
2026-04-10 20268 Best Secret Scanning Tools (2026)8 Best Secret Scanning Tools (2026)
2026-04-10 2026Best Secret Scanning Tools in 2025Best Secret Scanning Tools in 2025
2026-04-10 2026GitHub Leaked API Keys and Secrets ReferenceGitHub Leaked API Keys and Secrets Reference
2026-04-10 202623.8 Million Secrets Leaked on GitHub: The Case for Expiring Credentials23.8 Million Secrets Leaked on GitHub: The Case for Expiring Credentials
2026-04-10 202629 Million Secrets Leaked on GitHub: AI Coding Tools Made It Worse29 Million Secrets Leaked on GitHub: AI Coding Tools Made It Worse
2026-04-10 2026GitHub is Awash with Leaked AI Company SecretsGitHub is Awash with Leaked AI Company Secrets
2026-04-10 2026The State of Secrets Sprawl 2026: AI-Service Leaks Surge 81%The State of Secrets Sprawl 2026: AI-Service Leaks Surge 81%
2026-04-10 2026State of Secrets Sprawl Report 2025State of Secrets Sprawl Report 2025
2026-04-10 2026AI Frenzy Feeds Credential ChaosAI Frenzy Feeds Credential Chaos
2026-04-10 2026GitHub Secret Leaks: 13 Million API Credentials in Public ReposGitHub Secret Leaks: 13 Million API Credentials in Public Repos
2026-04-10 2026Best Secret Scanning Tools For 2026Best Secret Scanning Tools For 2026
2026-04-10 202629 Million Secrets Leaked: AI Coding Tools Making It Worse29 Million Secrets Leaked: AI Coding Tools Making It Worse
2026-04-10 2026The State of Secrets Sprawl 2026: 9 Takeaways for CISOsThe State of Secrets Sprawl 2026: 9 Takeaways for CISOs
2026-04-10 2026The State of Secrets Sprawl 2025The State of Secrets Sprawl 2025
2026-04-10 2026The Complete 2026 Secrets Management GuideThe Complete 2026 Secrets Management Guide
2026-04-06 2026Zen AI Pentest GitHub ActionZen AI Pentest GitHub Action
2026-04-06 2026Shift Left Security That Developers Actually Keep EnabledShift Left Security That Developers Actually Keep Enabled
2026-04-06 2026CERT-EU Confirms Trivy Supply Chain Attack Led to Credential ExposureCERT-EU Confirms Trivy Supply Chain Attack Led to Credential Exposure
2026-04-06 2026The Claude Code Security Checklist: What the Source Code RevealsThe Claude Code Security Checklist: What the Source Code Reveals
2026-04-06 2026Hardcoded Secrets in AI-Generated Code: Catch Them Before They ShipHardcoded Secrets in AI-Generated Code: Catch Them Before They Ship
2026-04-03 2026AWS Secrets Manager vs HashiCorp Vault [2026]AWS Secrets Manager vs HashiCorp Vault [2026]
2026-04-03 2026AWS Secrets Engine | HashiCorp VaultAWS Secrets Engine | HashiCorp Vault
2026-04-03 2026Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits"Researcher Unearths Thousands of Leaked Secrets in GitHub's "Oops Commits"
2026-04-03 2026How to Detect and Clean Up Leaked Secrets in Your Git RepositoriesHow to Detect and Clean Up Leaked Secrets in Your Git Repositories
2026-04-03 2026Secret Scanning Tools 2026: Protect Code and Prevent Credential LeaksSecret Scanning Tools 2026: Protect Code and Prevent Credential Leaks
2026-04-03 2026TruffleHog vs. Gitleaks: A Detailed ComparisonTruffleHog vs. Gitleaks: A Detailed Comparison
2026-04-03 2026Why 28 Million Credentials Leaked on GitHub in 2025 | SnykWhy 28 Million Credentials Leaked on GitHub in 2025 | Snyk
2026-04-03 2026Gitleaks - Find Secrets with GitleaksGitleaks - Find Secrets with Gitleaks
2026-04-03 2026TruffleHog - Find, Verify, and Analyze Leaked CredentialsTruffleHog - Find, Verify, and Analyze Leaked Credentials
2026-04-03 2026Secrets Management - OWASP Cheat Sheet SeriesWebsite with the collection of all the cheat sheets of the project.

Related Topics

Supply Chain 100 resources Dependency, build pipeline, and package attacks Recon 93 resources Subdomain, port, and service discovery techniques OSINT 89 resources Public intelligence gathering for attack surface mapping API Security 85 resources REST and API-specific vulnerability patterns
Compare: SCA vs SAST

Frequently Asked Questions

How do secrets leak into code repositories?
Secrets commonly leak through developer mistakes: hardcoding API keys during development, committing .env files, leaving credentials in test fixtures, pasting tokens into comments, or including secrets in Docker build arguments. Even if removed in later commits, secrets persist in git history unless the repository is rewritten with tools like git-filter-repo or BFG Repo Cleaner.
What tools detect leaked secrets?
TruffleHog and GitLeaks scan git repositories for high-entropy strings and known credential patterns. GitHub Secret Scanning alerts on known token formats from partner services. Pre-commit hooks using detect-secrets or gitleaks can prevent commits containing secrets. For CI/CD, tools like talisman and SpectralOps provide pipeline-level scanning.
What should you do when a secret is leaked?
Immediately rotate the compromised credential — assume it has been captured. Revoke the old key, generate a new one, and update all systems using it. Then remove the secret from git history if it was committed. Review access logs for the compromised credential to assess if it was exploited. Finally, implement prevention measures to stop future leaks.

Weekly AppSec Digest

Get new resources delivered every Monday.