Your Secret Scanner Has a Blind Spot: Here’s How to Fix It

Every penetration tester has had the moment. You are two days into an engagement, sifting through cloned repositories and intercepted HTTP responses, and a hardcoded AWS key appears in a config file that has been sitting in version control for months. Nobody rotated it. Nobody noticed. And when you validate it, the key is still live.

Leaked secrets are not a new problem. The tooling for finding them has improved dramatically over the past several years, with mature open-source rule sets covering hundreds of credential patterns across cloud providers, SaaS platforms, CI/CD systems, and payment processors. But most of this tooling operates in exactly one context: you point a CLI scanner at a directory and read the output. That is the blind spot.

The Problem Is Not Detection Rules

During a typical offensive engagement, credentials surface across multiple attack surfaces at once. Source code repositories are the obvious ones ...