Secret management

What is sensitive information?

Sensitive information includes, but is not limited to:

  • credentials for logging into applications
  • access tokens for accessing API services
  • client information
  • invoices
  • salaries

How to handle sensitive information?

Never commit sensitive information into your code repositories. Use a vault for secrets.

How do I know if there is sensitive information in my repository?

You can use tools such as truffleHog to scan your repository for accidentally committed sensitive data:

truffleHog searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.

Are accidental sensitive information leaks common?

Accidental leaks are common. sshgit finds committed secrets and sensitive files across GitHub, Gists, GitLab, and BitBucket or your local repositories in real-time. See the live sshgit feed for accidentally committed sensitive information in public repositories.

Last edit: August 31, 2020