WKLD.04 – Prevent application secrets from being exposed

During local development, application secrets can be stored in local configuration or code files and accidentally checked-in to source code repositories. Unsecured repositories hosted on public service providers can be subject to unauthorized access and subsequent discovery of these secrets. Use available tools to prevent secrets from being checked in. Incorporate checks for exposed secrets as part of your manual code review processes.

Some common tools that can prevent application secrets from being checked-in to source code repositories are:

Gitleaks (GitHub repository)
Whispers (GitHub repository)
detect-secrets (GitHub repository)
git-secrets (GitHub repository)
TruffleHog (GitHub repository)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

WKLD.03 – Use ephemeral secrets or a secrets-management service

WKLD.05 – Detect and remediate exposed secrets