IntermediateLesson 4 of 10

Secret Scanning

Detect leaked credentials like API keys, passwords, and tokens before they are abused.

Simple Explanation (ELI5)

Secret scanning is a guard that checks your commits for things that should never be public, like private keys and access tokens.

Technical Explanation

Secret scanning uses pattern matching and provider validation to detect sensitive strings in commits, branches, and history. Partner patterns can trigger provider-side revocation workflows.

Visual Section

Commit

→

Pattern Match

→

Alert

→

Rotate Secret

Hands-on Commands

bash

# Simulate accidental secret commit
printf "AWS_SECRET_ACCESS_KEY=abc123" >> .env
git add .env
git commit -m "test: add env file"

# Corrective action
git rm --cached .env
echo ".env" >> .gitignore
git add .gitignore
git commit -m "fix: remove env file from tracking"

# Rotate leaked key in cloud provider immediately

Debugging Scenarios

No alert for obvious secret: Pattern may not be supported; add custom pattern.
False positive on test string: Mark resolved with reason and refine pattern.
Secret removed but alert remains: Alert tracks historical leak; rotate key and close appropriately.
Large history leak: Rotate credentials first, then clean history if policy requires.

Real-world Use Case

A developer committed a cloud API key to a public repo. Secret scanning alert arrived within minutes, key was revoked, and no abuse occurred.

Interview Questions

Beginner

What is secret scanning?▾

Automated detection of exposed credentials in repositories.

Examples of secrets?▾

API keys, private keys, passwords, tokens.

First action after secret leak?▾

Rotate/revoke the secret immediately.

Why .gitignore is not enough?▾

It prevents future tracking, not historical leaks already committed.

Can secret scanning prevent all leaks?▾

No, but it drastically reduces exposure time.

Intermediate

How handle false positives?▾

Investigate, document, and tune rules or custom patterns.

What are custom patterns?▾

Organization-defined regex patterns for proprietary secrets.

Does deleting file close risk?▾

No. Key may still be compromised; always rotate.

What is push protection?▾

Feature blocking pushes containing detected secrets.

How integrate incident response?▾

Automate alert routing to SOC/on-call and key rotation playbooks.

Scenario-based

Leaked production DB password in merged PR. Steps?▾

Rotate password, invalidate sessions, assess access logs, and close alert with evidence.

Secret leak repeats monthly. Long-term fix?▾

Enable push protection, pre-commit scanning, and developer training.

Third-party token leaked but provider unavailable.▾

Disable integration temporarily and restrict network paths until token replaced.

Massive monorepo has many historical leaks.▾

Prioritize active secrets, rotate high-risk first, then phased cleanup.

Developer asks to suppress all secret alerts in test repo.▾

Use scoped policy; never blanket-disable where credentials are real.

Summary

Secret scanning is one of the highest-value controls in GHAS because leaked credentials can lead to immediate compromise.

PreviousCode Scanning ← Back to Course NextDependency Scanning