Practice vocabulary for secret scanning, credential leak prevention, git history scanning, and secret rotation workflows in DevSecOps.
0 / 5 completed
1 / 5
What is 'secret scanning' in a DevSecOps context?
Secret scanning uses pattern matching and entropy analysis to detect accidentally committed secrets — API keys, database passwords, private keys, tokens — in code repositories. Tools include GitHub Secret Scanning, GitGuardian, TruffleHog, and detect-secrets. Early detection prevents credential exposure before they reach public repositories.
2 / 5
What is a 'credential leak in git history' and why is it particularly serious?
Git stores the complete history of every file. Deleting a secret from the current branch does not remove it from prior commits — it remains accessible via git log, git show, or by checking out the old commit. Remediation requires rewriting history (git filter-branch, BFG Repo-Cleaner) AND immediately rotating the exposed credential, since the history may have already been cloned.
3 / 5
What is the difference between 'pre-commit scanning' and 'git history scanning'?
Pre-commit scanning (using tools like pre-commit framework with detect-secrets or gitleaks) runs as a git hook and blocks commits containing secrets before they enter the repository. Git history scanning (TruffleHog, GitGuardian, gitleaks) audits the entire commit history to find secrets that were committed in the past. Both are complementary: pre-commit prevents new leaks; history scanning finds existing ones.
4 / 5
What does 'revoke and rotate' mean in the context of a leaked secret?
'Revoke and rotate' is the immediate response to a leaked credential: (1) revoke — invalidate the exposed secret with the issuer (e.g., delete an AWS IAM access key, revoke a GitHub personal access token) so it is immediately unusable; (2) rotate — generate a fresh credential and update all systems consuming it. Speed matters — assume the secret was used by an attacker from the moment of exposure.
5 / 5
What is 'secret lifecycle management'?
Secret lifecycle management covers the full lifecycle: creation (generating strong secrets), distribution (injecting via vault, not env files), rotation (automated periodic re-issuance), auditing (logging access), and revocation (immediate invalidation when no longer needed or compromised). Tools like HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault automate most of this lifecycle.