SecretsNeverInSource [rule] v1.0.0

Secrets (API keys, database passwords, private keys, OAuth client secrets, service account credentials) must NEVER appear in source code, committed to version control, or embedded in build artifacts. All secrets must be injected at runtime via environment variables from a secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, Doppler) or a CI/CD secrets store. This applies to test credentials, staging secrets, and internal tools — not just production.

Applies To

• Database connection strings and passwords
• Cloud provider API keys (AWS_ACCESS_KEY_ID, GCP service account JSON)
• Third-party service keys (Stripe sk_live_, Twilio AuthToken, SendGrid API key)
• Private TLS/SSH/PGP keys and certificates
• .env files committed to repository (should be in .gitignore)
• Hardcoded tokens in test fixtures, seed scripts, or CI config comments
• Docker build ARGs that get baked into image layers

Counter Examples

• Uber 2016: AWS credentials hardcoded in a GitHub repository; attackers used them to access an S3 bucket containing a backup of 57M user records — total breach cost estimated at $148M settlement.
• Docker image with ENV DATABASE_PASSWORD=prod_secret_123 in Dockerfile — secret baked into every layer; visible via docker history, docker inspect, and image registry API.
• Twilio 2022: Okta phishing led to attacker accessing Twilio's internal tooling; separately, exposed GitHub repos of contractors contained API keys in test scripts — hardcoded test credentials provided lateral movement path.

SecretsNeverInSource [rule] v1.0.0

Secrets (API keys, database passwords, private keys, OAuth client secrets, service account credentials) must NEVER appear in source code, committed to version control, or embedded in build artifacts. All secrets must be injected at runtime via environment variables from a secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, Doppler) or a CI/CD secrets store. This applies to test credentials, staging secrets, and internal tools — not just production.

Applies To

• Database connection strings and passwords
• Cloud provider API keys (AWS_ACCESS_KEY_ID, GCP service account JSON)
• Third-party service keys (Stripe sk_live_, Twilio AuthToken, SendGrid API key)
• Private TLS/SSH/PGP keys and certificates
• .env files committed to repository (should be in .gitignore)
• Hardcoded tokens in test fixtures, seed scripts, or CI config comments
• Docker build ARGs that get baked into image layers

Counter Examples

• Uber 2016: AWS credentials hardcoded in a GitHub repository; attackers used them to access an S3 bucket containing a backup of 57M user records — total breach cost estimated at $148M settlement.
• Docker image with ENV DATABASE_PASSWORD=prod_secret_123 in Dockerfile — secret baked into every layer; visible via docker history, docker inspect, and image registry API.
• Twilio 2022: Okta phishing led to attacker accessing Twilio's internal tooling; separately, exposed GitHub repos of contractors contained API keys in test scripts — hardcoded test credentials provided lateral movement path.

Examples

• GitHub Actions secrets: stored encrypted at org/repo level, injected as ${{ secrets.DATABASE_URL }} — never appear in logs (masked), never in workflow YAML committed to repo.
• HashiCorp Vault + Kubernetes: Vault Agent Injector writes secrets to pod's /secrets/ tmpfs volume at runtime — pods never have secrets in their spec or image.
• AWS Secrets Manager + Lambda: boto3.client('secretsmanager').get_secret_value(SecretId='prod/db/password') at cold-start, cached in memory — key not in environment or code.
• GitLeaks pre-commit hook: gitleaks protect --staged blocks commits containing detected secrets before they reach the repository — fails with the matched pattern and line number.
• Doppler CLI: doppler run -- node server.js — injects secrets as environment variables at process start; zero secrets in the codebase or .env files.

Rationale

Git history is permanent — even a secret committed and immediately reverted remains in the reflog and any clone made during the window. Public repositories are scanned continuously by automated tools (TroveHog, GitLeaks, GitHub secret scanning, credential-hunting bots) that detect and exploit secrets within minutes of commit. In 2022, researchers found 6 million secrets in public GitHub repos; average time-to-exploit for AWS keys was 1.5 minutes.

Applies To

• Database connection strings and passwords
• Cloud provider API keys (AWS_ACCESS_KEY_ID, GCP service account JSON)
• Third-party service keys (Stripe sk_live_, Twilio AuthToken, SendGrid API key)
• Private TLS/SSH/PGP keys and certificates
• .env files committed to repository (should be in .gitignore)
• Hardcoded tokens in test fixtures, seed scripts, or CI config comments
• Docker build ARGs that get baked into image layers

Counter Examples

• Uber 2016: AWS credentials hardcoded in a GitHub repository; attackers used them to access an S3 bucket containing a backup of 57M user records — total breach cost estimated at $148M settlement.
• Docker image with ENV DATABASE_PASSWORD=prod_secret_123 in Dockerfile — secret baked into every layer; visible via docker history, docker inspect, and image registry API.
• Twilio 2022: Okta phishing led to attacker accessing Twilio's internal tooling; separately, exposed GitHub repos of contractors contained API keys in test scripts — hardcoded test credentials provided lateral movement path.