Glossary

Secret Scanning

Secret scanning detects credentials — API keys, tokens, private keys, passwords — accidentally committed to source code, so they can be revoked before an attacker finds them. Once a secret hits git history, it's compromised until rotated.

Developers leak secrets constantly: an AWS key pasted into a config to test something, a Stripe token hardcoded 'temporarily', a private key checked in by an over-eager `git add .`. Secret scanning finds those credentials by matching known patterns (AKIA-prefixed AWS keys, GitHub PATs, JWT shapes, PEM blocks) and high-entropy strings.

The critical thing to understand is that git history is permanent. The moment a secret is pushed, it must be treated as compromised — deleting it in a later commit does nothing, because the value still sits in the history and on every clone and fork. The only real remediation is to rotate the credential, then purge history if needed.

That's why secret scanning belongs at the gate, before the push lands: catching the key in a pre-push hook or a pull-request check is the difference between 'don't commit that' and an incident-response exercise.

How GateTest handles it

GateTest's secrets module detects AWS keys, GitHub PAT/OAuth/fine-grained tokens, Stripe live/restricted keys, Slack, Google, and Anthropic keys, private keys, and JWTs. The secret-rotation module goes further — it dates credential-shaped strings via git history and flags ones that are stale or overdue for rotation, plus .env vs .env.example drift.

Related modules: secrets, secretRotation

Frequently asked questions

I deleted the secret in a later commit — am I safe?

No. Git history is permanent: the secret still exists in earlier commits and on every clone and fork. The only safe remediation is to rotate (revoke and reissue) the credential, then optionally rewrite history. Treat any committed secret as compromised.

Where should secret scanning run?

As early as possible — ideally a pre-push hook or a pull-request check — so the secret is caught before it ever lands in the shared history. GateTest runs secret detection at the gate for exactly this reason.

See Secret Scanning on your own repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related terms