[Lilug] Auditing git for secrets? Suggestions?
Jeff Goldschrafe
jeff at holyhandgrenade.org
Thu Oct 23 13:06:34 PDT 2025
Assuming that a) we're hardening in the context of a larger org, and b) we mean secrets in the sense of data used for authentication and not, like, state secrets:
Bottom-up, your best bet is to have an inventory of what services you use and what their auth materiel looks like, so you can quickly spot stuff like AKIA strings or base64-encoded JWTs. Watch filenames in addition to payloads and build up a risk score. Identity tokens are (comparatively) easy, opaque access tokens are hard.
Top down, you can do static analysis to see where libraries in your codebase are pulling in credentials for common client libraries (e.g. `boto3.Session`, `bigquery.Client`), and walk the AST to see where those secrets are coming from. I've mostly only seen this level of sophistication in Wiz-tier big kid security tools, but vibe coding probably makes it a lot easier to make a homegrown approximation. Pay close attention in proximity to use of envvars like AWS_ACCESS_KEY_ID suggestive of sideloaded credentials - you can also check if those are being set through an unexpected mechanism.
Consider a Git pre-commit hook that reads the user's auth tokens for known services from their environment, and safely checks for the presence of those strings in the commit. That's a really useful method for keeping active creds out of carelessly committed log or telemetry data. Also, set up guardrails around committing log or telemetry data.
Peripherally, you want to know what SaaS assets are being used around your org, and set reasonable policies around how those can be authenticated - people are less likely to keep 1-hour access tokens lying around as a development shortcut. That's where you involve cloud governance and DLP.
As always, consider PEBCAK and build defenses in depth.
On Tue, Oct 21, 2025, at 12:06 PM, odinson at warcloud.net wrote:
> Hello All
>
> This is a huge topic, and careers can be exclusively made in this
> space. How do you harden your git trees/repos against revealing secrets?
> In case the tree falls into the wrong hands. Or is even intended for the
> public to see.
>
> I'm specifically looking in admin/engineer space like ansible,
> but more code orientated answers like CI/CD pipelines are welcome too.
> Looking for both practical techniques, and professional software and
> services.
>
> What's the norm, and separately, what is effective?
>
> Thanks for tipping your brains my direction.
>
> Matt
>
> -------------------------------------------------------------------------------
> Matthew Newhall, M.A.Newhall at warcloud.net
> A.S. in Computer Science, SUNY Farmingdale
> My weekly podcast, The Technocrat Live. http://www.thetechnocratlive.com
> President and founder of LILUG; president at lilug.org, http://www.lilug.org
> My theory; Psychopaths precede the conscience, http://civgene.matthewnewhall.com
> Scifi book; "Thicker Than Blood" http://www.thickerthanbloodthebook.com
> My maker blog; "The modness", http://themodness.wordpress.com
>
> People who put identity with a group above managing their own faith are the
> problem.
> -------------------------------------------------------------------------------
> _______________________________________________
> Lilug mailing list
> Lilug at lists.lilug.org
> http://lists.lilug.org/listinfo.cgi/lilug-lilug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lilug.org/pipermail/lilug-lilug.org/attachments/20251023/211a3857/attachment-0001.htm>
More information about the Lilug
mailing list