#14DELIVERYSCAN
Secrets Detection
Prevent secrets in code
Easy
Overview
Scan commits for accidentally committed secrets like API keys, passwords, tokens, and certificates.
Why It Matters
Never commit API keys, passwords, or tokens. Catches mistakes before they become breaches.
The Risk
Committed secrets lead to unauthorized access. Attackers scan public repos for credentials. Even private repos leak when employees leave or accounts are compromised. Once in git history, secrets must be rotated.
Implementation Components
A complete implementation of this capability includes:
- Pre-commit hooks that scan for secret patterns
- CI checks that block merges if secrets detected
- Full history scanning for existing secrets
- Pattern matching for common secret formats
- Low false-positive rate through smart detection
- Incident response plan for when secrets are found
Implementation Pattern
- 1Scan commits for patterns
- 2Block commits with secrets
- 3Alert on findings
Tool Examples
These are examples, not endorsements. Choose what fits your context.
Dependencies
Requires (must have first)
Enables (unlocks)
Same Phase
Other capabilities in this pipeline phase