Secrets in Version Control
detect, rotate, revoke, verify

What are secrets in version control?

Secrets in version control is the exposure of credentials through the repository as a system, not through a single line of source code. The credential may have been committed once and reverted, embedded in a configuration file deleted three years ago, captured in a pull request diff that lives on the provider forever, or pushed by mistake to a fork that the developer never owned in the first place. The canonical CWE references are CWE-540 (Inclusion of Sensitive Information in Source Code), CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory), and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). OWASP catalogues the category under A07:2021 Identification and Authentication Failures because the operational consequence is the same as a stolen password: an attacker has a working credential the application accepts.

The distinction between this page and hardcoded secrets (CWE-798) is the surface of exposure. Hardcoded secrets is a build-time SAST finding: the secret is present in the current working tree and a code scanner sees it on the next run. Secrets in version control is a repository-system exposure: the secret has been written to durable history (the commit log, the pull request diff, the cached fork, the build artefact, the container image, the search index of a public host) and the next code scan against the working tree may report nothing while the credential is still recoverable. The two often co-occur, but the remediation paths diverge sharply. A working-tree fix closes hardcoded secrets; only rotation at the issuing system plus revocation of the old value closes the version-control exposure.

Treat every detection in version control as a live credential under attack until the rotation, revocation, and verification have completed. Automated scanners scrape public commits on GitHub, GitLab, Bitbucket, and Gitea in near real time, often picking up leaked credentials within minutes of the push. Even private repositories are not safe: a compromised developer account, a leaked backup, an unintended fork, an over-permissioned CI runner, or a misconfigured public mirror are all routine paths from private commit to attacker-controlled access.

How secrets reach version control

The committed-and-pushed path is the obvious one, but most enterprise programmes find that the harder leaks come from history-resident artefacts and downstream replicas that survive a working-tree cleanup. The pattern is always the same: a credential becomes part of a durable artefact the development workflow keeps around, and the original developer no longer has unilateral control over where the artefact lives.

Common causes

How to detect it

Detection has to cover the working tree, the commit history, the pull request diffs, and the downstream replicas. A single scanner against the working tree will miss the most common enterprise pattern: a secret that was committed, deleted, and is still recoverable from history. Pair the working-tree code scan with a history sweep, provider-side scanning where it is available, and pre-commit controls that stop the next leak before it lands.

Detection is the first state event in the workflow, not the end of it. For the operating discipline that turns a Semgrep detection into a verified closure (triage, rotate at the issuing system, revoke the old value, clean the working tree, decide on a history rewrite, and re-scan the cleaned branch), read the secret scanning remediation workflow.

How to fix it

How SecPortal records and tracks the leak

SecPortal is the workspace where the secret-leak finding lands as a structured record alongside scanner findings, pentest findings, and audit findings. The platform does not rotate cloud IAM credentials for you, does not revoke third-party API keys, does not ship a secrets manager, and does not push a force-rewrite to your repository. What it does is hold the operating record so the rotation, revocation, cleanup, and verification become state events the next auditor and the next CISO can read end to end.

SecPortal does not ship a secrets manager, does not federate workload identity, does not push history rewrites, does not revoke credentials at the cloud provider, and does not ingest GitHub Advanced Security or GitLab secret-detection findings through a vendor integration. The leak still has to be resolved at the issuing system and in the repository through the team or tools that own those surfaces. SecPortal carries the operating record across those tools so the closure is verifiable rather than implied.

Related vulnerabilities and recommended reading

Version-control credential exposure sits inside the wider authentication and information-disclosure family. The pages below cover the adjacent vulnerability categories, the frameworks that name the controls the leak violates, and the SecPortal workflows that carry the operating record across detection, rotation, revocation, and verification.

• Hardcoded secrets the build-time SAST companion that catches secrets present in the working tree, distinct from the repository-history exposure this page covers.
• Sensitive data exposure the wider OWASP category for unintentional exposure of sensitive information, of which credential leakage through a repository is one routine pattern.
• Information disclosure the umbrella category that captures any unintended leak of information through an externally-accessible artefact.
• Default credentials the adjacent authentication failure where the credential is recoverable from public documentation rather than from a private repository.
• Broken authentication the broader category that covers any failure of the authentication mechanism, of which an attacker holding a working credential is the worst-case outcome.
• Insecure design the upstream design-stage failure when a system was built around static long-lived credentials rather than short-lived federated identity.
• Code scanning the SecPortal feature that runs Semgrep with the p/secrets ruleset against the connected repository on every scan.
• Repository connections the SecPortal capability that connects GitHub, GitLab, and Bitbucket via OAuth so the code scanner has read access to the working tree.
• Findings management the operating record that carries the CWE, CVSS, severity, owner, evidence, and state transitions for every leaked-credential finding.
• Finding overrides the override mechanism that captures documentation samples and known-safe placeholders as false positives with a written rationale.
• Secret scanning remediation workflow the operating discipline that turns a Semgrep detection into a verified closure through rotate, revoke, cleanup, and re-scan.
• Code review the engagement shape that pairs SAST and human review on the same engagement record so leaked-credential findings travel alongside design-level findings.
• DevSecOps scanning the SDLC-embedded scanning discipline that puts code scanning, including p/secrets, alongside dependency and DAST scanning on the same engagement.
• Incident response the engagement shape for leaks that crossed the threshold from candidate finding to confirmed compromise and now need full incident handling.
• OWASP ASVS the verification standard whose Authentication and Secret Management chapters name the controls a leaked-credential finding violates.
• NIST SSDF the Secure Software Development Framework with PW.4 and PW.6 practices for protecting software, including managing credentials in code and build pipelines.
• SecPortal for AppSec teams the audience overview for the teams that own secret scanning, rotation governance, and the closure record across the application portfolio.
• SecPortal for product security teams the audience overview for product security organisations that pair secret-leak response with the engineering and product organisations that issued the credential.

Compliance impact