Secrets Detection in Code: Pre-Commit, Pre-Push, Pre-Production
Secrets in commits are inevitable. The defense is layered detection that catches them before they hit the public history.
Where secrets leak
Secrets leak in commits, in build logs, in error messages, in screenshots. Most leak via commits to private repos that later go public.
Detection at the developer machine catches what server-side scans miss.
Three detection layers
- Pre-commit hook: trufflehog, gitleaks. Runs on developer machine; fast; blocks commit.
- Pre-push hook: server-side check before push reaches the remote.
- Pre-production scan: CI step on every PR.
False-positive controls
False positives kill adoption. Tune to your stack: ignore test fixtures; allow specific patterns.
Quarterly: review allowlist; remove anything that no longer applies.
Rotation when it happens
When a secret leaks: rotate immediately (do not wait for confirmation it leaked). Audit usage of the old secret in the prior 90 days.
Document the incident; update detection if it slipped past.
Antipatterns
- Pre-commit only. Misses laptops without the hook.
- No allowlist. Engineers disable the hook.
- Detection without rotation playbook. Found but not fixed.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.