It's time to stop hardcoding secrets in Git repos

The year is 2022, and secrets in Git repositories are still causing headaches for security engineers around the world. If you're a long-time GitGuardian follower, you already know how committed we are to fighting secrets-in-code with our tutorials, webinars, videos, and reports. This time, we decided to team up with @sec_r0 to raise awareness around the risks of hardcoding secrets, with the help of a drawing!

If you enjoyed reading this zine, spread the word and share it around!

A lot of speculation has been made around the initial access techniques used in the Solarwinds attack in its early days. With hindsight, we know that the scenario in which hackers could have used the compromised Solarwinds FTP server credentials is untrue. The purpose of this cartoon is simply to remind readers that hardcoding credentials in Git repositories is a very common misstep and that working with Git history commands is more complex than it seems.

For a thorough technical analysis on how the SUNBURST malicious code was inserted into Solarwinds Orion Platform software, you can refer to this report from CrowdStrike’s intelligence team.
Security Zines is a project led by Rohit Sehgal, Staff Security Engineer at Gojek. Check out his work at and give him a follow on Twitter @sec_r0 to see what he comes up with next!

Want to learn more about secrets sprawl?

Here's everything you need to go down the rabbit hole.

Understanding secrets sprawl

The State of Secrets Sprawl 2022
In its 2022 report, GitGuardian extends its previous edition focused on public GitHub by depicting a realistic view of the state of secrets sprawl in corporate codebases.
Finding over 6,000 credentials in Twitch’s source code - How our source code is a vulnerability
In this video, we break down the recent source code leak at Twitch and discuss what makes our source code a vulnerability.We used GitGuardians secret detecti...
Secrets exposed in Docker images: Hunting for secrets in Docker Hub
In this article, we will explain why Docker images can contain sensitive information and give some examples of the type of secrets we found in public Docker images. Finally, we will compare our results to the ones we have with source code scanning.

Best practices around secrets management and detection

Code & secret management best practices - GitGuardian Blog
Storing and managing secrets like API keys and other credentials can be challenging. Here are some of the best practices to help keep secrets and credentials safe.
Detect secrets with a pre-commit git hook using GG-Shield and the pre-commit framework
Leaked secrets like API keys are a severe security risk especially when they enter into git repositories. The best place to detect secrets is BEFORE they ent...
Data Security: AWS KMS and HashiCorp Vault- GitGuardian Blog
While Vault and KMS share some similarities, for example, they both support encryption, but in general, KMS is more on the app data encryption / infra encryption side, and Vault is more on the secrets management / identity-based access side.

More Git tutorials and cheat sheets!

8 steps to manage multiple GitHub accounts | GitGuardian Blog
Any developer has to set up his Git config at least once. Our cheat sheet will help you make this process a breeze, ensuring that you never push with the wrong profile again!
How to permanently remove files from git and rewrite your git history
In this video I will run through how to permanently delete files and rewrite your git history using two methods. The git reset command for simple scenarios a...
Git Clean, Git Remove file from commit - Cheatsheet - GitGuardian Blog
Exposing secrets in a git repository is bad but mistakes happen. This is a complete guide and cheatsheet to rewrite and remove files from git history

I hope these resources will help you keep secrets out of your Git repositories in the future. Don't forget to bookmark them and share them with your developer friends and colleagues!

Read the next Zine

Compromising CI/CD Pipelines with Leaked Credentials [Security Zines]
He struck again! New Security Zine, this time focusing on how leaked Jenkins credentials can lead to a complete supply chain takeover...