This cheat sheet outlines effective ways to discover, validate, and protect API keys and credentials throughout your software development lifecycle. It includes practical examples, tips on ownership, and guidance on securing vaults without hindering development. It's a useful resource for teams looking to manage secrets more effectively.

A security engineer found over 17,000 exposed secrets in public GitLab repositories after scanning 5.6 million projects. The researcher used TruffleHog to identify sensitive data like API keys and tokens, discovering a higher secret density than previous scans on Bitbucket. Many organizations responded by revoking their compromised secrets.

Nosey Parker is a command-line interface (CLI) tool designed to detect secrets and sensitive information in various textual data, functioning similarly to a specialized grep. It is particularly useful for both offensive and defensive security testing, offering features like flexible scanning options, field-tested rules, and high-speed performance. The tool is integrated with several platforms and supports extensive customization through its rule-based system.

Azure DevOps is implementing a change where newly generated OAuth client secrets will only be displayed once at creation, enhancing security and aligning with industry best practices. The Get Registration Secret API will also be retired to prevent misuse, and users must adapt their workflows accordingly before September 2, 2025.

The article discusses a project where the author scanned all of GitHub's commits for leaked secrets, highlighting the importance of managing sensitive information in code repositories. The findings emphasize the potential risks developers face if they inadvertently expose secrets in their code. Additionally, the article offers insights into the tools and methods used for the scanning process.

Sharon Brizinov shares her experience of earning $64,350 through bug bounty hunting by automating the recovery of deleted files from public GitHub repositories. By scanning thousands of repositories for exposed API keys and credentials hidden in Git's history, she highlighted the importance of addressing security vulnerabilities from seemingly deleted information.

Hard-coded secrets in Docker images pose significant security risks, as they can be inadvertently leaked and exploited by attackers. A recent analysis of 15 million Docker images on DockerHub revealed over 100,000 valid secrets, many of which date back years, highlighting the need for organizations to regularly audit their Docker images to prevent potential breaches.