--- id: wiki-2026-0508-secrets-detection title: Secrets Detection category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Credential Scanning, Leaked Secrets, Git Secret Scanning] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, secrets, gitleaks, trufflehog, devsecops] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: Go framework: gitleaks --- # Secrets Detection ## 매 한 줄 > **"매 secret 의 leak 은 git history 의 forever — 매 prevention(pre-commit) > detection(CI) > remediation(rotate + rewrite history)"**. 매 origin 은 2014 GitHub 의 AWS key 대량 leak; 매 modern state 는 gitleaks/trufflehog v3 (entropy + verifier), GitHub Push Protection, AI-aided context analysis (Claude Opus 4.7 으로 매 false positive triage). ## 매 핵심 ### 매 detection 의 3 layer - **Pre-commit (local)**: gitleaks pre-commit hook — 매 push 전 차단. - **CI (PR)**: gitleaks/trufflehog GitHub Action — 매 PR diff scan. - **Org-wide (continuous)**: GitHub Advanced Security secret scanning, GitGuardian, 매 historical scan. ### 매 detection 기법 - **Regex patterns**: AWS `AKIA[0-9A-Z]{16}`, GitHub `ghp_[A-Za-z0-9]{36}`. - **Entropy analysis**: Shannon entropy > 4.5 base64-like. - **Verification**: 매 detected key 를 actual API call 로 verify (live or revoked). - **AI context analysis**: 매 LLM 으로 매 surrounding code + filename → false positive triage. ### 매 응용 1. Pre-commit gate (developer machine). 2. CI/CD PR check. 3. Org-wide historical audit. 4. Incident response (breach detected → rotate all). ## 💻 패턴 ### 매 gitleaks pre-commit hook ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.21.0 hooks: - id: gitleaks ``` ```bash $ pre-commit install $ git commit -m "feat: add api" # gitleaks........Failed # leak: aws-access-token at config/dev.env:3 ``` ### 매 gitleaks custom config (매 corp tokens) ```toml # .gitleaks.toml [extend] useDefault = true [[rules]] id = "acme-internal-token" description = "Acme internal API token" regex = '''ACME_[A-Z0-9]{32}''' keywords = ["acme_"] entropy = 3.5 [[rules]] id = "anthropic-api-key" description = "Anthropic API key" regex = '''sk-ant-[a-zA-Z0-9-_]{95,}''' keywords = ["sk-ant-"] [allowlist] description = "test fixtures" paths = [ '''(.*?)tests/fixtures/.*''', '''(.*?)\.example\..*''', ] ``` ### 매 GitHub Action (PR scan) ```yaml # .github/workflows/secrets-scan.yml name: Secrets Scan on: [pull_request] jobs: gitleaks: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # 매 full history 필요 - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} ``` ### 매 trufflehog v3 (with verification, 매 live key 만 alert) ```bash # 매 git history 전체 scan, 매 verified live key 만 $ trufflehog git file://. --only-verified --json | jq . # 매 GitHub org scan $ trufflehog github --org=acme --token=$GH_PAT --only-verified # 매 Docker image scan $ trufflehog docker --image=acme/api:latest --only-verified ``` ### 매 leaked key remediation (매 4-step) ```bash # 1. 매 ROTATE first (매 코드 수정 전!) — 매 leak 시 attacker timer 시작 aws iam create-access-key --user-name svc-deploy aws iam delete-access-key --access-key-id AKIA... --user-name svc-deploy # 2. 매 history rewrite (BFG, 매 git filter-repo 보다 빠름) bfg --replace-text passwords.txt repo.git cd repo.git && git reflog expire --expire=now --all && git gc --prune=now --aggressive # 3. 매 force push (매 collaborator 들에게 reclone 공지) git push --force-with-lease # 4. 매 audit logs — 매 attacker 가 이미 사용했는지 aws cloudtrail lookup-events --lookup-attributes \ AttributeKey=AccessKeyId,AttributeValue=AKIA... ``` ### 매 AI-aided false-positive triage (Claude Opus 4.7) ```python import anthropic client = anthropic.Anthropic() def triage(finding): """gitleaks finding -> {is_real_secret, severity, action}""" prompt = f"""You are a security engineer. Decide if this is a real secret leak. Finding: File: {finding['file']} Line: {finding['line']} Match: {finding['match']} Context (5 lines before/after): {finding['context']} Output JSON: is_real_secret: bool reason: str severity: low|medium|high|critical action: rotate|ignore|investigate """ msg = client.messages.create( model="claude-opus-4-7", max_tokens=512, messages=[{"role": "user", "content": prompt}], ) return msg.content[0].text ``` ### 매 GitHub Push Protection (매 enable, free for public) ```bash # 매 org-level: Settings → Code security → Push protection: Enabled # 매 push 시 GitHub 가 server-side block — 매 partner pattern 매 200+ provider gh api -X PATCH orgs/acme \ -F secret_scanning_push_protection_enabled_for_new_repositories=true ``` ### 매 Doppler/Infisical (매 secret manager — 매 prevention root cause) ```bash # 매 .env 의 X — 매 secret manager 에서 inject $ doppler run -- python app.py # 매 process env 에 inject, 매 disk 에 닿지 않음 ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | 매 dev workstation | gitleaks pre-commit hook | | 매 PR gate | gitleaks/trufflehog Action | | 매 GitHub.com hosted | Push Protection enable | | 매 large org historical | trufflehog --only-verified org-scan | | 매 false-positive 많음 | Claude Opus 4.7 triage layer | | 매 root-cause prevention | Doppler/Infisical, 매 .env 폐기 | **기본값**: pre-commit (gitleaks) + CI (gitleaks Action) + GitHub Push Protection + Doppler. ## 🔗 Graph - 부모: [[Application Security]] · [[CI_CD 파이프라인 및 IDE 통합 보안|DevSecOps]] - 변형: [[Gitleaks]] - Adjacent: [[Key Rotation]] ## 🤖 LLM 활용 **언제**: 매 finding triage (매 false positive vs real). 매 git history 의 narrative incident report. **언제 X**: 매 detection 자체 — 매 deterministic regex/entropy 가 더 빠르고 cheap. 매 LLM 의 latency + cost 매 inline 부적절. ## ❌ 안티패턴 - **".env in repo"**: 매 매 the most common leak vector. 매 secret manager. - **Commit-then-rotate skip**: 매 rotate skip — 매 history forever. - **`.gitignore` rely**: 매 already-committed file 은 ignore 영향 X. - **Force-push without coord**: 매 collaborator 의 reflog 에 leak 잔존. - **Public-key panic**: 매 pub key 는 leak 의 X — 매 알고 commit. ## 🧪 검증 / 중복 - Verified (gitleaks docs v8.21, GitHub secret scanning docs 2026, OWASP Secrets Management Cheat Sheet). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — gitleaks + trufflehog + Push Protection + Claude triage |