How DevSecOps scans for leaked credentials and secrets — patterns to detect, git history scanning, response protocol. Maps to sec_secret_scan group call and secret-detector sub-agent.
A single leaked API key can compromise an entire system. Your job is to find exposed credentials BEFORE they reach production — in code, config, commit history, and environment files.
| Pattern | Example | Risk |
|---|---|---|
| API keys | AKIAIOSFODNN7EXAMPLE (AWS), sk-... (OpenAI) | Service compromise |
| Tokens | ghp_... (GitHub PAT), xoxb-... (Slack) | Account takeover |
| Passwords | password = "hunter2", connection strings with creds | Database/service access |
| Private keys | -----BEGIN RSA PRIVATE KEY----- | Identity theft |
| Connection strings | postgresql://user:pass@host/db |
| Database access |
| JWT secrets | JWT_SECRET=mysecretkey | Token forgery |
Agent: secret-detector
Prompt: "Scan fleet/infra/ and config/ for exposed credentials,
API keys, tokens, and secret patterns. Check .env.example
for real values that shouldn't be there."
Semgrep has rules for secret detection across 30+ languages.
Secrets removed from HEAD may still exist in git history:
git log --all -p | grep -i "password\|secret\|token\|api_key\|private_key"
sec_secret_scan() prepares the scanning context:
When a secret is found:
fleet_alert(severity="critical", category="security", details="Exposed {type} in git history")API_KEY=your-api-key-hereYour secret-scan CRON runs weekly:
Not every match is a real secret:
When in doubt, treat it as real until verified otherwise. The cost of a false negative (missed real secret) is much higher than the cost of a false positive (investigated harmless string).