Pricing Get Started
DevOps Security

The Silent Killer of CI/CD: Hardcoded Secrets in Supply Chains

SP
Secret Pusher Team
6 min read

// config/database.js

const config = {

host: 'db.prod.internal',

user: 'admin',

password: 'super_secret_password_123',

// ^ NEVER DO THIS

};

It takes only one commit to compromise an entire infrastructure. Hardcoded secrets—API keys, database credentials, and encryption tokens embedded directly into source code—are the most common entry point for supply chain attacks.

Why Git Never Forgets

Version control systems like Git are designed to preserve history. This is great for code, but catastrophic for secrets.

  • Deleting the file in a new commit does not remove the secret from history.
  • Bots scan public GitHub repositories in seconds looking for high-entropy strings (like AWS keys).

The `.env` Dilemma

The standard practice is to use .env files and add them to .gitignore. This is correct. However, the problem shifts: How do you get the `.env` file to a new developer or a production server?

This is the "Secret Transfer Gap." Developers often resort to insecure methods to bridge this gap:

  • Emailing the .env file (insecure, stored in sent items).
  • Sending it via Slack (persistent, searchable).
  • Committing it "just for a second" (leaked forever).

Secure Your Onboarding

When onboarding a new team member, never send the entire .env file over a chat app. Instead, break it down or send the file securely using an encrypted, ephemeral transfer service.

1

Upload

Paste your .env content into Secret Pusher.

2

Link

Send the generated one-time link to your new developer via Slack or Email.

3

Vanish

Once they copy the variables, the link dies. The secret is gone from the transport layer.

The Lifecycle of a Leak

Minute 0: The Commit

Developer accidentally commits `.env` file containing AWS keys.

Minute 1: The Scan

GitHub scrapers and bots detect the high-entropy string immediately.

Minute 5: The Attack

Automated scripts spin up max-size EC2 instances for crypto mining.

Defense Strategy: Pre-commit Hooks

The best way to stop a leak is to prevent the commit from happening in the first place. Use tools like TruffleHog or GitLeaks.

.pre-commit-config.yaml Security Hook
repos:
- repo: https://github.com/trufflesecurity/truffleHog.git
rev: v3.29.0
hooks:
- id: truffleHog
args: [--max_depth=10, --fail_on_findings]

Best Practices Checklist

  • Use Pre-commit Hooks: Tools like trufflehog or git-secrets can block commits that contain regex patterns resembling API keys.
  • Rotate Leaked Keys Immediately: If a secret hits a repo, consider it compromised. Revoke it and issue a new one.
  • Secure Transfer: Never use Slack or Email as a permanent storage for secrets. Use ephemeral links.

Protect Your Environment

Share environment variables securely without risking a git leak.

Share Secrets Safely

Secret Pusher v3 RELEASED!

More Faster, Strong and Secure! ⚡
And for the pros? The Business Plan has arrived. 🤵‍♂️

Learn More