Back to Resources
Security

Stop shipping hardcoded secrets: a practical guide

5 min readPrismSec Team

The accidental leak

It starts innocently. A developer is testing a database connection locally, hardcodes a connection string to move fast, and commits it. The PR gets merged. The secret is now in your repository's history forever.

Three months later, that repository goes public for an open-source initiative. Within hours, automated scanners find the leaked AWS key. Within days, your infrastructure is mining cryptocurrency for someone else.

This isn't a hypothetical scenario. It's happened to Uber, Toyota, Samsung, and thousands of smaller organizations. The 2023 GitGuardian report found over 10 million secrets exposed in public GitHub repositories that year alone—a number that grows every quarter.

How secrets leak (and persist)

The most common vector is developer convenience. Connection strings, API keys, and service tokens get hardcoded during local development and accidentally committed. The variations are endless:

# Configuration files
DATABASE_URL = "postgresql://admin:P@ssw0rd@prod-db.example.com/app"
 
# Test fixtures
API_KEY = "sk_live_abc123_real_stripe_key"
 
# Environment setup
export GITHUB_TOKEN="ghp_AbCdEfGhIjKlMnOpQrStUvWxYz"
 
# CI/CD scripts
docker login -u admin -p hunter2 registry.example.com

Once committed, these secrets live in git history indefinitely. Even if you delete them in a later commit, they're still recoverable through git log or by cloning the repository at an earlier revision. Rewriting history with git filter-branch or BFG Repo-Cleaner is technically possible, but it forces a hard reset for every developer and breaks existing clones.

The damage window is permanent. Any secret that ever touched your repository should be considered compromised and rotated immediately.

The real consequences

Leaked credentials aren't theoretical risks—they translate directly to business impact:

Financial losses. Exposed cloud credentials let attackers spin up instances for cryptomining, data exfiltration, or DDoS attacks. Organizations have woken up to five-figure AWS bills from a single compromised key.

Data breaches. Database credentials, API tokens, and service keys grant direct access to customer data. A hardcoded MongoDB connection string can expose millions of records overnight.

Supply chain attacks. Leaked GitHub tokens or NPM credentials allow attackers to inject malicious code into your repositories or packages, compromising downstream users.

Compliance violations. SOC 2, PCI-DSS, HIPAA, and GDPR all require secure credential management. Hardcoded secrets in version control are automatic audit failures.

Detection: entropy + provider patterns

Effective secret detection combines two techniques:

Entropy analysis identifies high-randomness strings that resemble tokens or keys. A typical password has lower entropy than a 32-character API key. This catches generic secrets but generates false positives on hashes, UUIDs, and test data.

Provider-specific patterns match known formats for AWS keys (AKIA...), GitHub tokens (ghp_...), Stripe keys (sk_live_...), and hundreds of other services. This approach has high precision but misses custom secrets or unknown formats.

Modern scanners combine both: flag high-entropy strings near keywords like "key", "token", "password", or "secret", then validate them against provider patterns. The best tools also verify secrets are active by making test API calls—a leaked but revoked key is lower risk than a live credential.

Remediation: rotation and revocation

If you discover a leaked secret:

  1. Revoke it immediately. Don't wait for Monday or the next sprint—disable the credential as soon as you find it.
  2. Rotate it everywhere. Update all services and configurations that use the old secret.
  3. Audit access logs. Check if the leaked credential was used by unauthorized parties. AWS CloudTrail, GitHub audit logs, and service provider dashboards show API activity.
  4. Notify stakeholders. If customer data or production systems were exposed, disclosure may be legally required.
  5. Remove from history (optional). Use BFG Repo-Cleaner or git filter-repo to purge the secret from git history, but treat this as defense-in-depth, not primary remediation—the secret is already compromised.

Prevention: stop secrets before they merge

A layered defense prevents secrets from entering your codebase in the first place:

Pre-commit hooks scan staged files locally before commit. Tools like detect-secrets, git-secrets, or pre-commit integrate into developer workflows and block accidental commits.

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

Pre-merge scanning analyzes PRs before they reach the main branch. GitHub Advanced Security, GitLab Secret Detection, and third-party tools like PrismSec run on every pull request and block merges when secrets are detected.

Continuous monitoring scans your entire repository history regularly to catch secrets that slipped through earlier defenses. This catches legacy secrets from before your scanning infrastructure was in place.

Developer education is the ultimate prevention. Train your team to use environment variables, secret managers (AWS Secrets Manager, HashiCorp Vault, 1Password), and .env files excluded from version control.

How PrismSec catches them

PrismSec's AI-powered analysis scans every pull request for hardcoded secrets before merge. We combine:

  • Entropy-based detection for unknown secret formats.
  • Provider-specific patterns for 300+ services.
  • Context-aware analysis to reduce false positives (test fixtures, example code, and revoked credentials are intelligently suppressed).
  • Automated fix suggestions that replace hardcoded secrets with environment variable references.

Our agents understand your codebase structure and recommend the right secret management pattern for your stack—whether that's .env files for Node.js, AWS Secrets Manager for containerized apps, or HashiCorp Vault for multi-cloud infrastructure.

The bottom line

Every secret that enters your version control is a liability. The only safe number of hardcoded credentials is zero.

Build a defense-in-depth strategy: pre-commit hooks for developers, pre-merge scanning for PRs, continuous monitoring for legacy secrets, and a culture that treats credentials as first-class security concerns.

It's easier to prevent a leak than to clean up after one.

If you're unsure whether your repository contains leaked secrets, run a scan now. Every day you wait is another day your credentials are exposed.

Ship secure software faster

Connect your repository and get your first security review in minutes.

Get StartedBook a Demo