Risks
Understanding how secrets get compromised helps you build better defenses.
| Threat | Description | Mitigation |
|---|---|---|
| Secrets in source code | Credentials committed to Git repositories, including in history | Pre-commit hooks, secret scanning, .gitignore |
| Secrets sprawl | Secrets duplicated across config files, CI tools, wikis, and Slack | Centralized vault, secret references instead of values |
| Overprivileged access | Services or users with access to more secrets than needed | Least-privilege policies, regular access reviews |
| Stale credentials | Long-lived secrets that haven't been rotated in months or years | Automatic rotation, short TTLs, dynamic secrets |
| Insider threats | Employees or contractors misusing credential access | Audit logging, access reviews, just-in-time access |
| Supply chain attacks | Compromised dependencies or build tools exfiltrating secrets | Isolated build environments, minimal secret exposure |
| Log exposure | Secrets accidentally printed in application logs or error messages | Log scrubbing, secret masking, structured logging |