Phantom secrets have the potential to cause major cybersecurity issues, yet a worrying number of developers aren’t aware of their existence.
Developers often embed credentials, API tokens, and passkeys directly into their code, which must be removed before the code is pushed to production.
However, anti-secret scanning tools miss these secrets due to a design flaw in Git-based infrastructure- many secrets are accessible in the commit history.
Recently Aqua Nautilus conducted research on the top 100 organisations on GitHub, which collectively had 52,268 different repositories.
Around 17.78% of potential secrets in repositories can be missed if users only rely on regular git-clone based scanning tools.
Historical secret scanning eliminates oversights in scanning tools by identifying and addressing secrets that, though deleted from the code, remain accessible in the commit history.
Adopting historical secret scanning will help gain complete oversight of all secrets without blind spots by including those buried deep within the commit history.
Enhancing detection and reducing attack surface are some key benefits of historical secret scanning.
It is critical to realise credentials, API tokens, and passkeys remain exposed for many years, even after being deleted, leading to significant security risk.