Secrets Detection: How to Find and Fix Hardcoded Credentials in Your Code

Secrets detection is the automated process of scanning your codebase, commit history, and CI artifacts for hardcoded credentials — API keys, database passwords, private keys, and tokens that should never appear in source code. A single exposed AWS key can cost tens of thousands of dollars in minutes. GitHub reports revoking millions of leaked secrets every year, and most are discovered by attackers before developers notice them.

Developers hardcode secrets during prototyping, paste them into test files, or commit .env files by accident. Without automated detection, these credentials persist in git history indefinitely — even after the offending file is deleted.

Deleting a file does not delete the secret. Every committed secret lives forever in your git history. An attacker who clones your repo can search every commit ever made. Rotation is the only safe response to a leaked credential.

Scan your repos for leaked secrets with Rafter — connect a repo and get results in under two minutes.

How Secrets Detection Works

Secrets scanners use three complementary techniques to find credentials in code.

Regex pattern matching identifies secrets by their known format. AWS access keys start with AKI, Stripe keys start with sk_live_, and GitHub tokens follow the ghp_ prefix. Pattern-based detection is fast and produces low false-positive rates for well-structured token formats.

Entropy analysis flags high-randomness strings that look like cryptographic material. A 40-character hex string in a config file probably is not a human-readable variable — it is likely a secret. Entropy scanning catches credentials that do not follow a known prefix pattern, but it generates more false positives than regex matching.

Verified secrets scanning goes further by testing whether a detected credential is actually live. The scanner makes a controlled API call to confirm the key is valid. This eliminates false positives from test fixtures and example code, and tells you which leaks require immediate rotation.

GitLeaks vs TruffleHog vs Rafter

GitLeaks is a lightweight, open source scanner focused on regex-based detection. It scans git history and pre-commit hooks, supports custom rules via TOML, and runs fast. It lacks verification and produces more false positives on entropy-like strings.

TruffleHog adds entropy analysis and verified secrets detection. It checks whether discovered credentials are active by making safe API calls, which dramatically reduces noise. It supports git repos, S3 buckets, and CI logs.

Rafter combines secrets detection with full SAST, dependency scanning, and AI-powered code analysis in a single platform. You get secrets scanning alongside vulnerability detection and remediation guidance — all running automatically on every pull request.

Pre-Commit Hooks vs CI Scanning

You need both. They solve different problems at different stages.

Pre-commit hooks run locally before code enters the repository. Tools like GitLeaks can block a commit that contains an AWS key, preventing the secret from ever reaching git history. The limitation is that hooks are client-side — developers can skip them with --no-verify, and they do not cover secrets already in the repo.

CI pipeline scanning runs server-side on every push and pull request. It cannot be bypassed, it scans the full commit history, and it catches secrets that pre-commit hooks missed. CI scanning is your safety net. Pre-commit hooks are your first line of defense.

A secret caught at commit time never needs rotation. A secret caught in CI still needs rotation — but at least it did not reach production.

Add secrets scanning to your pipeline with Rafter — set up automated detection in under five minutes.

What to Do When a Secret Leaks

Speed matters more than process. Follow this order:

Rotate immediately. Revoke the exposed key and generate a new one before investigating how the leak happened. Automated scrapers test leaked credentials within minutes.
Audit access logs. Check whether the credential was used by anyone other than your team. AWS CloudTrail and GCP audit logs show exactly which operations were performed with a given key.
Scrub git history. Use git filter-repo or BFG Repo Cleaner to remove the secret from all commits. Forks and cached clones may still contain the original.
Add detection rules. Update your scanner and pre-commit hooks to catch the specific pattern that slipped through.

How Secrets Detection Works

Secrets scanners use three complementary techniques to find credentials in code.

GitLeaks vs TruffleHog vs Rafter

Pre-Commit Hooks vs CI Scanning

You need both. They solve different problems at different stages.

A secret caught at commit time never needs rotation. A secret caught in CI still needs rotation — but at least it did not reach production.

What to Do When a Secret Leaks

Speed matters more than process. Follow this order:

Rotate immediately. Revoke the exposed key and generate a new one before investigating how the leak happened. Automated scrapers test leaked credentials within minutes.

Audit access logs. Check whether the credential was used by anyone other than your team. AWS CloudTrail and GCP audit logs show exactly which operations were performed with a given key.

Scrub git history. Use git filter-repo or BFG Repo Cleaner to remove the secret from all commits. Forks and cached clones may still contain the original.

Add detection rules. Update your scanner and pre-commit hooks to catch the specific pattern that slipped through.