WKLD.04 Prevent application secrets from being exposed

During local development, application secrets can be stored in local configuration or code files and accidentally checked in to source code repositories. If a repository hosted on a public service provider is unsecured, unauthorized users can access it and discover exposed secrets. Use available tools to prevent secrets from being committed to your repository. During code reviews, check for hardcoded credentials, API keys, and other secrets before merging changes.

The following open-source tools can help prevent application secrets from being checked in to source code repositories:

Gitleaks on GitHub
detect-secrets on GitHub
git-secrets on GitHub
TruffleHog on GitHub

Note

These tools are open source and available at no charge.

For guidance on detecting and remediating secrets that have already been exposed, see WKLD.05 Detect and remediate when secrets are exposed.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

WKLD.03 Use ephemeral secrets or a secrets-management service

WKLD.05 Detect and remediate exposed secrets