Secret scanning on every commit (incl. AI-generated)
Demonstrate that automated secret scanning executes on every commit across all repositories, detects hardcoded credentials including those in AI-generated code, and enforces a remediation workflow with documented response to findings.
Description
What this control does
This control requires automated secret scanning tools to analyze every code commit—including commits containing AI-generated code—before or immediately after merge to detect exposed credentials, API keys, private keys, tokens, and other sensitive authentication material. Scanning must trigger on all commits regardless of source (human-authored, AI pair programming tools, automated generation) and block or alert on findings according to policy. This prevents hardcoded secrets from entering version control history where they persist indefinitely and can be exploited even after rotation.
Control objective
What auditing this proves
Demonstrate that automated secret scanning executes on every commit across all repositories, detects hardcoded credentials including those in AI-generated code, and enforces a remediation workflow with documented response to findings.
Associated risks
Risks this control addresses
- Developers commit hardcoded API keys or cloud credentials that are subsequently exploited by attackers scanning public or compromised repositories
- AI code generation tools insert example or placeholder credentials into production code that remain undetected and functional
- Private keys or certificate material committed to version control enable unauthorized access to production systems or encrypted data
- Service account tokens or database connection strings leak through commit history and permit lateral movement after initial compromise
- Secrets committed by developers persist in Git history even after removal from current codebase, enabling discovery through repository archaeology
- Third-party OAuth tokens or webhook secrets exposed in commits allow attackers to impersonate legitimate integrations
- Undetected credential sprawl across repositories increases blast radius when a single developer workstation is compromised
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's secret scanning policy, including scope of repositories covered, tool configuration, and response procedures for detected secrets
- Inventory all active code repositories (GitHub, GitLab, Bitbucket, etc.) and verify that secret scanning tooling is enabled and enforced at the platform or organization level
- Examine the secret scanning tool configuration to confirm coverage of common secret patterns (API keys, private keys, database URLs, OAuth tokens) and custom patterns specific to the organization's technology stack
- Review commit hooks, CI/CD pipeline configurations, or platform-level policies to verify scanning executes on every commit with no bypasses or exemptions that exclude AI-generated code
- Select a random sample of 20-30 recent commits across multiple repositories and trace evidence that secret scanning executed (scan logs, pipeline runs, or platform audit events)
- Test the control by submitting a test commit containing a known safe but realistic secret pattern to a non-production repository and verify detection, alerting, and blocking or remediation workflow activation
- Review incident or alert records for the past 90 days to identify any secrets detected, and trace remediation actions including secret rotation, commit history rewriting, or access revocation
- Interview development and DevOps personnel to confirm awareness of the secret scanning requirement, including how it applies to code generated by AI pair programming or code generation tools
Where this control is tested