Secret scanning in repos + CI
Demonstrate that automated secret scanning is enforced across all code repositories and CI/CD pipelines, with findings triggering alerts and remediation workflows before code reaches production.
Description
What this control does
Secret scanning is an automated control that detects hard-coded credentials, API keys, tokens, certificates, and other sensitive authentication material committed to source code repositories or introduced during continuous integration pipelines. Scanning tools use pattern matching, entropy analysis, and signature-based detection to identify secrets in commit history, pull requests, and build artifacts. This control prevents accidental exposure of credentials that could enable unauthorized access to production systems, third-party services, or cloud infrastructure.
Control objective
What auditing this proves
Demonstrate that automated secret scanning is enforced across all code repositories and CI/CD pipelines, with findings triggering alerts and remediation workflows before code reaches production.
Associated risks
Risks this control addresses
- Developers inadvertently commit plaintext credentials to version control repositories, exposing them to anyone with repository access or to public GitHub/GitLab users if repositories are misconfigured
- Attackers mine public and private repositories for exposed API keys, database credentials, or cloud service tokens to pivot into production environments
- Secrets embedded in historical commits remain accessible indefinitely through git history, even after removal from current branches
- Third-party dependencies or automated merges introduce secrets that bypass manual code review processes
- CI/CD pipeline logs or artifacts inadvertently capture and store credentials in plaintext, creating secondary exposure vectors
- Leaked OAuth tokens, SSH keys, or signing certificates enable impersonation attacks or unauthorized code deployment
- Compliance violations occur when regulated data encryption keys or PII are stored in repositories contrary to data protection requirements
Testing procedure
How an auditor verifies this control
- Obtain an inventory of all source code repositories and CI/CD pipelines in scope, including GitHub, GitLab, Bitbucket, Azure DevOps, or self-hosted systems
- Review organization policies and standards requiring secret scanning enforcement and defining secret types to be detected
- Identify the secret scanning tools deployed (e.g., GitHub Advanced Security, GitLab Secret Detection, GitGuardian, TruffleHog, AWS CodeGuru, Yelp detect-secrets)
- Verify scanning configuration includes pattern libraries for common secret types: API keys, database passwords, private keys, cloud credentials, OAuth tokens, and organization-specific formats
- Confirm scanning executes on pre-commit hooks, pull request validation, merge checks, and CI pipeline stages before artifact publication
- Review alert routing configuration to confirm findings generate notifications to security teams and block merge or deployment workflows based on severity
- Select a sample of 10-15 recent commits and pull requests across multiple repositories and verify scan results are logged and findings were investigated
- Perform a live test by creating a test branch with a synthetic secret and confirming detection, blocking, and alerting mechanisms activate within expected timeframes
Where this control is tested