Open PortfolioOpen Portfolio.
โ† Back to Blog

How to Audit Your GitHub Repo for Leaked Secrets

January 7, 2026at 6:42 PM UTCBy Pocket Portfolio Teamtechnical
How to Audit Your GitHub Repo for Leaked Secrets
#github#git#secrets#audit#your

Leaked secrets within a GitHub repository can lead to significant security vulnerabilities, exposing sensitive information to potential cyber threats. Ensuring your repositories are free from such leaks is critical for maintaining the integrity and security of your software development process.

Direct Solution with Code

To audit your GitHub repo for leaked secrets, you can use a tool like git-secrets. It prevents you from committing passwords and other sensitive information to a git repository.

Installation

First, install git-secrets:

# If you're on a Mac and using Homebrew:
brew install git-secrets

# Or, if you prefer to clone from GitHub:
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
make install

Configuration

Next, configure git-secrets to scan for AWS credentials by running:

git secrets --register-aws --global

This command sets up git-secrets to prevent AWS secrets from being committed across all your repositories. You can also add custom patterns to scan for specific secrets related to your project:

git secrets --add 'my_custom_secret_pattern'

Scanning Repositories

To scan an existing repository, navigate to your project folder and run:

git secrets --scan

For a more comprehensive audit covering the entire git history, use:

git secrets --scan-history

Explanation of Key Concepts

  • Leaked Secrets: Sensitive data, such as passwords, API keys, and certificates, unintentionally committed to version control systems.
  • git-secrets: An open-source tool by AWS Labs that scans commits, commit messages, and merges for potential secret leaks.

Quick Tip

Always run git secrets --scan before pushing commits to remote repositories. Integrating this step into your CI/CD pipeline can automate the audit process, ensuring that no secrets are leaked inadvertently.

Gotcha

Remember, git-secrets must be configured for each repository unless you specify the --global option during setup. However, relying solely on global configurations can lead to missed custom patterns specific to a project. It's advisable to review and tailor .git/config and .gitsecrets files per repository to ensure comprehensive security coverage.

By implementing these steps, you effectively audit your GitHub repositories for leaked secrets, mitigating potential security risks and maintaining the confidentiality of sensitive information.

How to Audit Your GitHub Repo for Leaked Secrets | Open Portfolio Blog | Open Portfolio