Secret Scanning in Public Repos

Secrets in public GitHub get exploited fast.

Speed

Secrets accidentally committed to public repositories are the highest-velocity credential leak vector that exists. Within minutes of a public commit, automated bots have scanned the commit, detected the credential, and started using it. The window between leak and exploitation is so short that traditional incident response timelines do not apply; the response has to be automated and immediate.

What the speed actually looks like:

• Public repo secret leaks exploited within minutes.: Bots scan public GitHub commits in real time. AWS access keys, Stripe tokens, GitHub PATs, OpenAI keys all get found and used by attackers within 5 to 15 minutes of being committed. The exploitation is automated; there is no human delay.
• Don't assume time.: The traditional "we have hours to respond" assumption does not apply. Once a credential is in a public commit, treat it as compromised immediately. Even if you delete the commit, the credential is in the wild; the bot already has it.
• Cryptocurrency mining is the most common abuse.: Stolen AWS credentials are routinely used to spin up large numbers of EC2 instances for mining. The bill arrives weeks later; by then the attacker has long since pivoted to the next victim. The cost can be tens of thousands of dollars from a single leaked key.
• Account takeover is the secondary abuse.: Some leaked credentials grant access to data or other systems. The attacker explores; pivots; exfiltrates. The downstream damage can be much larger than the initial credential's apparent scope.
• Public-repo leaks are the worst case.: Private repos, Slack channels, log archives are slower-moving leak vectors. Public repos are different in kind because the entire internet is watching. The response speed must match the threat speed.

Speed is the defining feature of public-repo secret leaks. The defense must match the attack speed; manual response is too slow.

Scan

The infrastructure that makes the response viable is automated scanning by the platform itself. GitHub, GitLab, and other major platforms scan public commits and notify both the repo owner and the credential issuer. The notification is fast; the rotation can begin within minutes.

• GitHub secret scanning native.: GitHub scans every public commit for known secret patterns. Detection produces a notification to the repo owner. For supported credential types, the platform also notifies the credential issuer (AWS, Stripe, etc.).
• Auto-rotation for AWS, Azure, GCP, Stripe keys.: When the credential issuer is notified by GitHub, they often auto-rotate. AWS auto-disables exposed access keys; Stripe rotates exposed publishable keys; many SaaS providers do the same. The auto-rotation is often faster than the team's response.
• Coverage of common patterns.: The scanning recognizes the patterns of major credential types. AWS access keys, GitHub tokens, npm tokens, Stripe keys, Azure connection strings, GCP service account JSON. Each is detected and notified.
• Push protection mode.: GitHub Advanced Security supports push protection: secrets detected at push time block the push entirely. The credential never reaches the public repo. This is the strongest version of the defense; it prevents the leak rather than detecting it.
• Cross-platform coverage.: Similar features exist on GitLab, Bitbucket, and other platforms. The team configures the appropriate features for their hosting; the coverage is consistent across the codebase.

Platform-level scanning is the infrastructure that makes fast response possible. The team's response builds on this foundation.

Respond

The response to a detected public-repo leak is mechanical and immediate. There is no time for investigation before rotation; the rotation comes first, the investigation follows.

• Rotate immediately on any detection.: The detection is the trigger; the rotation is the response. No deliberation; no investigation first; rotate immediately. The credential is already in the wild; every minute the old value is valid is a minute of exploitation risk.
• Don't investigate first.: The investigation can happen after rotation. Was the leak intentional? Did the attacker use the credential? What did they access? Each is important; none is more important than the rotation. The rotation is non-negotiable; the investigation can wait minutes or hours.
• Update consumers in parallel with rotation.: Rotating the credential is one step; updating the systems that use it is another. Both happen in parallel. The window of "credential rotated, systems still use old value" should be minutes, not hours.
• Audit usage during the window.: Once rotation is complete, pull the audit log for the period from leak to rotation. Was the credential used by anyone other than authorized parties? Were there access patterns that indicate compromise? The audit feeds the post-incident analysis.
• Postmortem the leak.: Even if no harm occurred, postmortem the leak. How did the secret get into the commit? What process gap allowed it? What changes prevent recurrence? The postmortem produces structural improvements.

Public-repo secret leak response is one of those security disciplines where the speed and structure of the response determine whether harm occurs. Nova AI Ops integrates with platform secret scanning, automates the rotation flow for supported credential types, and produces the postmortem-ready timeline that the team needs after the incident is contained.