Secret Scanning and Leak Prevention
Secret Scanning and Leak Prevention
Despite best practices, secrets occasionally leak into inappropriate locations like source code, container images, or logs. Secret scanning tools detect these leaks before they reach production. Integration into CI/CD pipelines prevents deployment of artifacts containing exposed secrets.
Pre-commit hooks provide the first line of defense against secret leaks. Tools like detect-secrets, git-secrets, or truffleHog scan commits for patterns matching common secret formats. These tools maintain flexibility through custom pattern definitions while minimizing false positives through entropy analysis and allowlisting.
# Secret scanning in CI/CD pipeline
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: secret-scan
spec:
params:
- name: image
description: Image to scan
steps:
- name: scan-image
image: aquasec/trivy:latest
command:
- trivy
- image
- --security-checks
- secret
- --exit-code
- "1"
- $(params.image)
- name: scan-filesystem
image: trufflesecurity/trufflehog:latest
command:
- trufflehog
- filesystem
- /workspace/source
- --json
- --fail
- --exclude-paths=/workspace/.secretsignore
- name: scan-git-history
image: awslabs/git-secrets:latest
script: |
#!/bin/bash
cd /workspace/source
git secrets --install
git secrets --register-aws
git secrets --register-gcp
git secrets --register-azure
git secrets --scan-history
Runtime secret leak detection complements static scanning by monitoring running applications. Log aggregation systems can scan for secret patterns in application logs. Network monitoring can detect secrets transmitted in plaintext. These runtime controls catch leaks that static analysis might miss.