Credentials, API keys, database connection strings, and personal data must never appear in the version control history. Accidentally committed secrets are a persistent security risk: Git history retains the secret even after the offending commit is amended or removed. Tools such as git-secrets, truffleHog, GitLeaks, and detect-secrets scan for credential patterns in code and configuration files.

Secret detection runs at two points. Pre-commit hooks catch secrets before they enter the repository, providing the fastest feedback loop. CI pipeline steps catch secrets that bypassed the hooks, either because the hooks were not installed on a developer’s machine or because the pattern was not matched locally. Both layers are necessary for defence in depth.

The security team treats any committed secret as compromised and rotates it immediately, regardless of whether the commit was subsequently removed. In production, secrets are sourced from a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault), never from the repository. The secret detection configuration, scan results, and any incident response records for committed secrets are retained as Module 9 evidence.

Key outputs

• Secret detection tool configuration (detect-secrets, truffleHog, or GitLeaks)
• Pre-commit hook and CI pipeline integration
• Incident response procedure for committed secrets
• Module 9 AISDP evidence