惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
F
Full Disclosure
Cloudbric
Cloudbric
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
N
News and Events Feed by Topic
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
C
Check Point Blog
B
Blog RSS Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Recorded Future
Recorded Future
The Last Watchdog
The Last Watchdog
N
News and Events Feed by Topic
T
The Blog of Author Tim Ferriss
O
OpenAI News
V
V2EX
人人都是产品经理
人人都是产品经理
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security @ Cisco Blogs
C
Cisco Blogs
Security Latest
Security Latest
S
Security Affairs
V
Visual Studio Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Azure Blog
Microsoft Azure Blog
Last Week in AI
Last Week in AI
AWS News Blog
AWS News Blog
雷峰网
雷峰网
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
博客园_首页
U
Unit 42
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
Project Zero
Project Zero
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
N
Netflix TechBlog - Medium
L
LINUX DO - 热门话题
H
Hacker News: Front Page

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials
2025-11-12 · via Aikido Security's Blog

SecretsAPI keys, passwords, certificates — are the digital equivalent of playground whispers: they’re meant for a trusted recipient, not the public. In modern software, secrets are used programmatically, which makes them both ubiquitous and fragile. Left unchecked, they’re frequently the starting point for major breaches. This guide explains where secrets leak, why detecting them is harder than it looks, what good detection actually does, and how to deploy it so you stop accidental leaks before they become incidents.

What counts as a "secret" in software?

A secret is any credential that grants access to systems or services: API keys, database passwords, OAuth tokens, SSH keys, TLS certs, and similar. Because secrets are consumed programmatically, they travel through source code, CI pipelines, developer machines, and backups — creating a large attack surface.

How secrets typically leak

One of the most common leak vectors is source control history. The typical scenario:

  1. A developer creates a feature branch and hard-codes a credential to test something quickly.
  2. Once verified, they replace the credential with an environment variable or vault call and push the changes for review.
  3. Code review looks only at the current diff; the temporary secret remains buried in the branch or commit history.

Diagram of git history with Commit C on the dev branch labeled 'API key hard coded (the secret)'.

Commit C on the dev branch shows an API key hard-coded — a secret that remains in history.

Unless you rewrite git history (which is disruptive and risky), that secret lives on. If an attacker gains access to your repository — even a private one — they can scan history and harvest creds to pivot into higher-value targets.

How widespread is the problem?

Public research shows this is far from rare. Large-scale scans of GitHub reveal millions of exposed secrets and surprisingly high prevalence even in private repositories. Real breaches prove the risk: leaked source code dumps have yielded thousands of credentials, including cloud tokens and payment keys.

Slide reading '23,770,171 New secrets detected in public GitHub commits in 2024' with supporting stats

GitGuardian: 23,770,171 new secrets detected in public GitHub commits in 2024 — a clear measure of scale.

Why SAST alone isn't enough

Static Application Security Testing (SAST) is great for finding things like SQL injection or path traversal in the current codebase, but it typically scans the latest snapshot, not the entire commit history. Secrets are different: a secret in any commit, branch, or tag is a compromise risk. That means detection must consider the full history and multiple repositories where that history lives.

Terminal 'Scan Summary' output showing scan findings and message that scan was limited to files tracked by git, with presenter inset

Scan summary showing results and a note that the scan was limited to files tracked by git.

Why secrets detection is harder than "just regex"

At first glance you might think: write a regex for "API_KEY=" and be done. In reality, secrets detection must balance precision and recall so it doesn't drown developers in noise:

  • High-entropy strings (random-looking values) are often secrets — but not always. Many non-secret artifacts are also high-entropy.
  • Placeholders and examples pepper codebases. Naively flagging every-looking key triggers false positives that break workflows.
  • Provider patterns vary. Some services (Stripe, AWS, Twilio) use identifiable prefixes or formats; others do not.

Slide titled 'Raw high-entropy string' showing a long hex-like token and a red 'Secret' indicator

High-entropy string example used to illustrate what looks like a secret.

What good secrets detection looks like

An effective secrets detection solution uses multiple signals to reduce false positives and catch real leaks:

  • Pattern matching for known providers. Identify keys that follow provider-specific formats (e.g., Stripe prefixes, AWS token shapes).
  • Validation where possible. Attempt non-destructive validation (does this AWS key exist? is it active?) to confirm whether a finding is real.
  • Entropy + context. Use entropy measures to find high-randomness strings, then inspect surrounding code (file path, variable names, comments) to decide if it’s a secret.
  • Anti-dictionary checks. Filter out strings containing English words or obvious placeholders to reduce noise.
  • History-aware scanning. Scan the entire git history across branches, tags, and mirrors — not just the tip of main.
  • Developer-centric deployment. Run detection both remotely (central repos) and locally (pre-commit hooks, IDE plugins) to stop leaks earlier in the workflow.

Presenter at a microphone with a slide reading 'Identify all secrets by categories'

Identify secrets by category — a practical detection goal.

Testing a secrets detection tool (and the common trap)

When evaluating tools, teams often perform a simple test: they hard-code obvious secret-looking strings and expect the scanner to catch them. Ironically, a tool that flags every obvious fake secret may be low quality — it’s the noisy tools that look the best in naïve tests.

Good tools intentionally ignore trivial, non-real patterns and placeholder values. They prioritize validating suspicious findings rather than screaming on every random string.

Canarytokens web dashboard showing token types (Web bug, DNS, AWS infra, Credit Card, QR code, MySQL, AWS keys, Fake App, Log4shell, Fast redirect)

Canarytokens dashboard — create honeytokens to safely test detection and alerts.

How to test properly:

  1. Use honeytokens / canary tokens — real, low-risk API keys you control — that you can safely publish to test detection and alerting.
  2. Run the tool against historical branches and forgotten commits, not only fresh fake keys in current files.
  3. Measure false positive rate and validation success: can the tool reduce noise while still surfacing real, actionable secrets?

Where to deploy secrets detection

Detection belongs at multiple layers:

  • Remote Git repositories (mandatory). Your central git hosting is the canonical source of truth: scan all repositories and complete history. Any secret present here should be treated as compromised.

Stylized diagram of local repository (IDE and local commits) pushing to a remote repository that shows a New Pull Request and CI/CD stages

Diagram showing local and remote repositories and how pushes create pull requests — where remote scanning belongs.
  • Developer local environment (strongly recommended). Use pre-commit hooks and IDE or editor extensions to catch secrets before they ever reach a push. Local feedback avoids churn and gives developers control.
  • CI/CD pipelines. Add checks to block merges or deployments when a validated secret is found, while ensuring rules minimize false positives that block development.
“If a secret makes its way into [your remote repository], you need to consider it compromised.”

Quick remediation checklist when you find a leaked secret

  1. Rotate the secret immediately (rotate credentials, revoke tokens).
  2. Assess scope: what systems were accessible with the key?
  3. Remove the secret from all commits and branches — consider rewriting history only when necessary and acceptable for your workflow.
  4. Audit for similar leaks in other repos or backups.
  5. Improve developer workflows and tooling to prevent recurrence (IDE plugins, pre-commit hooks, vault adoption).

Recap: the essentials

  • Secrets are everywhere in modern development and often live in git history.
  • SAST tools that scan only the tip of the tree aren’t sufficient for secrets detection.
  • Good detection combines provider patterns, validation, entropy/context analysis, and anti-dictionary filters to cut noise.
  • Deploy detection both centrally (remote repos) and locally (IDE/hooks) to catch leaks early and avoid a cat-and-mouse game.
  • Test scanners responsibly using honeytokens and historical scans rather than trivial fake keys.

Detecting secrets is a continuous, developer-first problem. With the right mix of signals and placement, you can dramatically reduce risk without drowning developers in false alarms. Start by scanning your git history, add local protections, and make validation a core feature of any secrets detection solution you choose. Try out Aikido Security today!