← Back to Docs

Recipe: Repo secret scanning + rotation

Detect leaked credentials in your Git history and rotate them before they become an incident. This recipe covers Gitleaks, GitHub Advanced Security, and automated rotation pipelines.

1. Scan every push

Install Gitleaks as a pre-commit hook and in CI. Block merges that introduce high-entropy strings matching known secret patterns.

gitleaks detect --source . --verbose

2. Full history audit

Run a one-time scan across all branches and tags. Secrets buried in old commits are still exploitable.

gitleaks detect --source . --log-opts="--all"

3. Rotate immediately

A detected secret is already compromised. Revoke it, issue a new one, and update all consumers within the rotation window.

4. Prevent reoccurrence

Use .gitignore templates, environment variable injection at deploy time, and secret managers (Vault, Doppler, AWS Secrets Manager). Never store secrets in .env files committed to source.

Pro tip: Combine Gitleaks with GitHub push protection to block secrets before they leave the developer's machine.