HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Well-Architected Framework

Detect leaked secrets across your organization

Leaked secrets in code repositories, documentation, and cloud storage are critical security risks to your organization. Even with strong prevention measures like access controls and dynamic credentials, secrets can still leak through human error, misconfigured systems, or process gaps. Detection provides the monitoring layer that identifies exposed credentials before attackers exploit them.

A defense-in-depth strategy uses multiple layers of security controls to protect data rather than relying on any single protective measure. Automated secret detection scans version control systems, documentation platforms, cloud storage, and CI/CD pipelines to find exposed credentials.

Why detect leaked secrets proactively

Discover secrets before attackers exploit them: Studies show secrets are committed to public GitHub repositories every 30 seconds on average. Without automated detection, organizations remain unaware of exposed credentials for days or weeks while attackers exploit them within hours of discovery.

Prevent credential exploitation: Attackers use automated tools to continuously scan public repositories for exposed credentials. Once discovered, attackers use leaked secrets to compromise build systems, inject malicious code, and distribute malware through trusted software supply chains.

Meet compliance requirements: Regulations like SOC 2, PCI-DSS, and GDPR mandate that organizations implement controls to detect and prevent unauthorized access to sensitive data. Security auditors require evidence that you actively monitor for leaked credentials and respond to incidents promptly.

Implementing automated secret detection across all organizational data sources, combined with clear incident response processes and blameless reporting culture, lets you discover and remediate leaked secrets before attackers exploit them. After preventing leaked secrets through access controls and credential management, detection provides the monitoring layer that identifies when secrets still leak despite preventive measures.

Monitor critical data sources

To start building out your defense-in-depth strategy for leaked secrets, you should implement a solution to scan for and identify secrets across your organization's critical data sources. Each data source presents unique risks and requires specific scanning approaches.

Monitor the following common data source types:

  • Version control systems (VCS) such as BitBucket, GitHub, or GitLab store your application source code and configuration files. Developers frequently commit API keys, database passwords, and cloud credentials directly into repositories. Once committed, secrets remain in Git history even after removal from current files, requiring specialized tools to detect and remediate historical exposure.

  • Documentation and communication systems such as Confluence, Google Docs, or Slack contain operational runbooks, deployment guides, and troubleshooting documentation where teams often paste credentials for convenience. These systems typically lack the access controls and encryption that secrets management platforms provide, making them high-risk locations for secret exposure.

  • General storage locations like local file systems and cloud storage such as Amazon S3 accumulate configuration files, backup scripts, and archived projects containing embedded secrets. Organizations often overlook these locations during security audits, allowing credentials to persist indefinitely in forgotten backups and legacy systems.

  • Local developer environments and CI/CD systems including Docker containers, Kubernetes configurations, and Jenkins pipelines require credentials to deploy applications and access cloud resources. Developers frequently embed secrets in environment variables, configuration files, and container images that later get pushed to registries or shared with team members.

The following video shows HCP Vault Radar scanning in action:

Automate secret scanning with HCP Vault Radar

HCP Vault Radar scans your data sources for secrets and integrates with various providers to alert your teams when secrets are discovered. Vault Radar supports multiple scanning options to accommodate different workloads and data confidentiality requirements. The following are the three deployment models:

  • Cloud scanner: Use for publicly accessible systems such as GitHub, GitLab, and public cloud storage when you need to monitor without managing infrastructure. The cloud scanner operates as a managed service, continuously monitoring external repositories and services.

  • Vault Radar agent: Use for on-premises systems like self-hosted Confluence, internal documentation platforms, and private network resources when data cannot leave your network. The agent deployment model ensures sensitive data stays local while still providing centralized secret detection and reporting.

  • Vault Radar CLI: Use for integration with local developer environments, CI/CD pipelines, and custom workflows when you need shift-left security. Developer teams can incorporate secret scanning into pre-commit hooks, pull request validation, and deployment pipelines to catch secrets before they reach production systems.

Vault Radar also prioritizes the severity of leaked secrets using pattern recognition and validation techniques. The system distinguishes between placeholder values, like "YOUR_API_KEY_HERE", example documentation text, and real credentials with active validity. This prioritization helps your security team focus remediation efforts on the highest-risk exposures first, reducing alert fatigue and improving response times. Once you detect leaked secrets, follow the remediation process to rotate credentials and remove secrets from all locations.

Foster a blameless reporting culture

Technical scanning and detection capabilities are ineffective when team members are afraid to report mistakes or potential security incidents. Creating a positive, blameless culture is essential. When people fear losing their jobs for admitting errors, they hide their mistakes rather than focus on fixing the underlying processes that allowed the incident to occur.

Organizations with blameless cultures see higher incident reporting rates and faster remediation times because team members feel safe admitting mistakes. This transparency lets security teams respond quickly before attackers exploit leaked secrets. Conversely, punitive cultures drive incidents underground where they fester undetected until external discovery forces a response.

The Google SRE book advises removing blame from the incident response process. This approach focuses on "identifying the contributing causes of the incident without indicting any individual or team for bad or inappropriate behavior." When someone leaks a secret, ask why the system allowed it rather than who made the mistake.

HashiCorp resources

Related WAF guidance:

Get started with HCP Vault Radar:

HCP Vault Radar deployment options:

Integrate with development platforms:

External resources

Next steps

In this section of Managing leaked secrets, you learned how to detect leaked secrets across version control systems, documentation platforms, and cloud storage using automated scanning tools like HCP Vault Radar. You also learned the importance of building a blameless reporting culture. Identifying leaked secrets is part of the Secure systems pillar.

After detecting leaked secrets, continue to the following document:

Edit this page on GitHub