Secret Leak
The accidental exposure of a credential, API key, private key or password in source code, a git repository or a public-facing file.
In detail
A secret leak (or credential leak) occurs when a sensitive value such as an API key, database password, private certificate, signing secret or OAuth client secret ends up in a location where it is accessible to unintended parties. Common vectors include committing a .env file to a public git repository, including secrets in client-side JavaScript bundles, shipping source maps that contain secrets, logging secrets to application logs, and hardcoding secrets in configuration files. Once a secret is committed to a public repository, scanners like TruffleHog and GitHub's secret scanning detect it within seconds. Rotation and revocation is the only remedy.
Why it matters for Australian business
Secret leaks are one of the fastest paths from a newly deployed Australian app to a costly incident. A leaked OpenAI key can result in tens of thousands of dollars in charges before the breach is detected. A leaked Stripe key gives the attacker access to payment data and charge capabilities. We include secret scanning in every code audit and train development teams to use pre-commit hooks and secret manager integrations so secrets are never written to source files in the first place.