Day 3 of 60
·
Static analysis & type-time
Secret scanning
Five minutes after a leaked AWS key reaches any pushed remote, public mirror, internal Azure Repos, or otherwise, somebody is already mining crypto on your dime. Pre-commit blocks the leak before it leaves your laptop.
ProblemAPI keys, tokens, and passwords accidentally committed.
How it works
Pattern-based scanner runs pre-commit and on every push. Blocks the commit if a secret-shaped string appears.
Try it
A self-contained mini-lab. Click through to see the technique catch a real bug.
Click Run gitleaks to scan the staged change.
What it catches
Credential leaks. One leaked production AWS key can pay for the technique's lifetime cost in five minutes.
Tools
Gitleaks · OSS TruffleHog · OSS GitHub Secret Scanning · SaaS
Verdict by project size
Small
Must
Medium
Must
Large
Must
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 2h | 0.25h | $0 | +0.25m |
| Medium 10–100k LOC | 4h | 1h | $0 | +0.5m |
| Large 100k–1M LOC | 2d | 5h | $0 | +1m |
| Extra-large >1M LOC | 5d | 20h | $0 | +2m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Code Build
Pre-commit / IDE · Runs locally before code leaves the developer's machine.
Who owns it
Security / AppSec
SAST, DAST, threat modelling
Collaborates with: Security / AppSec
Reference implementations
-
Gitleaks
Pre-commit and CI secret scanning with rule-based detection.
-
TruffleHog
Secret discovery with verification support across git, filesystems, and cloud sources.
-
detect-secrets
Baseline-driven secret scanning workflow for reducing noisy findings.
Quick check
Why is pre-commit secret scanning higher leverage than post-merge scanning?
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.