Musah Abdulai

Book review
Evidence kitevidence-folder-template/04-vulnerability-secrets/secret-scanning.md
Vulnerability & secrets

Secret scanning

# Secret scanning

Download whole kitView on GitHub

Evidence that credentials accidentally committed to repos are detected — ideally blocked at push time — and triaged within a documented SLA.

Evidence to keep here

  1. Scanner config — GitHub Advanced Security secret scanning + push protection settings, or equivalent.
  2. Remediation SLA — written policy on triage time + key rotation.
  3. Remediation log — sample of recent secret-scanning hits with their resolution.

Recommended SLA

When a secret is detected:

  1. Within 1 hour: revoke the secret at the source (don't wait for the commit to be rewritten).
  2. Within 4 hours: rotate any related credentials that may have been derived.
  3. Within 24 hours: rewrite git history if the secret was pushed publicly (BFG / git-filter-repo) and confirm scrub.
  4. Within 1 week: postmortem if the secret reached production credentials.

The "revoke first, then clean up" order matters: the moment a secret is committed publicly, it's compromised. Git history rewrite is optional cleanup, not defense.

How to gather it

GitHub Advanced Security

# Check the org / repo has secret scanning + push protection enabled
gh api repos/<owner>/<repo> --jq '.security_and_analysis'

# List alerts
gh api repos/<owner>/<repo>/secret-scanning/alerts \
  --jq '[.[] | {number, secret_type, state, resolution, created_at, resolved_at}]' \
  > secret-scanning-alerts-2026-05-15.json

GitLab

glab api projects/<id>/secrets > secrets-config.json

Standalone — trufflehog / gitleaks in CI

If you don't have GitHub Advanced Security, run a scanner in CI:

- name: Secret scan
  uses: gitleaks/gitleaks-action@<pinned-sha>

Remediation log format

# Secret-scanning remediation — 2026 Q2

| Date       | Type           | Source          | Action                                 | Time to revoke | Closed     |
| ---------- | -------------- | --------------- | -------------------------------------- | -------------- | ---------- |
| 2026-04-08 | AWS access key | feature branch  | Revoked + rotated; not pushed to main  | 12 min         | 2026-04-08 |
| 2026-05-22 | OpenAI API key | example in docs | Replaced with placeholder; key revoked | 6 min          | 2026-05-22 |

Sample answer for the questionnaire

GitHub Advanced Security secret scanning is enabled across the org with push protection — pushes containing detected secrets are blocked. Triage is per the SLA in secret-scanning.md (revoke in 1 hour; rotate dependents in 4 hours). Recent remediation log attached as remediation-log-<quarter>.md.

Example filenames

secret-scanning-config-2026-05-15.json
secret-scanning-alerts-2026-05-15.json
remediation-log-2026-Q2.md

Refresh

Quarterly remediation log + verification that push protection is still on (it can be toggled off accidentally).

Book review