← All protections
CWE-798 · Secret exposure
How Stateward protects you against hardcoded secrets & leaked credentials
The threat
API keys, tokens, database URLs and private keys committed into source control are recovered by automated scanners within seconds of a push — and a leaked secret in git history is compromised even after you delete the line.
How Stateward catches it
Stateward scans every diff at the commit for known token formats and high-entropy strings, redacts the value (it never echoes or stores a secret), and flags it before it reaches a shared branch. Findings track state, so a fixed leak stays closed and reopens on regression.
Secret detectionCWE-798CWE-540
Recent advisories of this class
- criticalSECRET-HARDCODED-SOURCEHardcoded secrets are API keys, database passwords, OAuth tokens, and private keys written directly as string literals into application source and committed to version control. Because they are plaintext constants, automated scanners (Trufflehog, Gitleaks, GitHub secret scanning) trivially recover them by pattern-matching commit contents against known token formats and high-entropy strings, so a single push to a public host exposes the credential to anyone watching the commit stream within seconds. GitGuardian's State of Secrets Sprawl reported 12.8 million new secrets leaked on public GitHub in 2023, rising about 25% to 23.8 million in 2024, with generic secrets making up 58% of detections. The problem is not limited to public code: GitGuardian found 35% of scanned private repositories also contained plaintext secrets, and AWS IAM keys appeared several times more often in private than public repos. Once committed, a leaked credential can grant direct access to production databases, cloud accounts, and third-party services.
- criticalSECRET-GIT-HISTORYGit is a content-addressable store: every version of every file is saved as an immutable blob object referenced by commits, so deleting a secret in a later commit or removing the file entirely leaves the original blob intact and fully reachable in history. Anyone who clones or forks the repository receives the complete object database and can recover the credential by walking old commits (git log -p, git rev-list, or extracting the blob by its hash), which is why a secret 'removed' in HEAD is still public. Truly purging it requires rewriting history with git filter-repo or the BFG Repo-Cleaner to drop the blob and force-pushing, but GitHub warns that existing clones, forks, pull-request references, and cached commit views may still expose it. GitHub's own guidance is explicit: once a secret has been pushed, consider it compromised and rotate it, because rewriting history cannot guarantee no one already copied it. Rotation is the only reliable remediation; history rewriting is cleanup, not a fix.
- highSECRET-TOYOTA-TCONNECT-2022On October 10, 2022 Toyota disclosed that data for up to 296,019 customers of its T-Connect vehicle-connectivity app had been exposed for nearly five years. A development subcontractor published part of the T-Connect source code to a public GitHub repository in December 2017, and that code contained a hardcoded access key for a data server holding customer records. Because the repository was public, anyone could read the embedded key and use it to authenticate to the server storing customer email addresses and management (customer control) numbers. The exposure ran from December 2017 until the public repository was noticed and access restricted on September 15, 2022. Toyota changed the affected database keys on September 17, 2022 and warned customers of phishing risk, while stating it could not completely rule out third-party access; names, credit card data, and phone numbers were not stored in the exposed dataset. This is distinct from Toyota's separate 2023 cloud-configuration exposure.
- highSECRET-CLIENT-EMBEDDEDAny secret shipped to code that runs on a user's device is public by definition, because the user controls the runtime and can read everything in it. API keys and cloud credentials in a JavaScript front-end sit in plaintext inside the served bundle and are visible via browser dev tools or by downloading the .js file, while keys compiled into mobile apps are recoverable by unzipping the APK/IPA and decompiling with tools like apktool, jadx, or strings to dump embedded constants. Symantec's threat-hunting team found over 1,800 mobile apps with hardcoded AWS credentials, mostly on iOS, and 77% contained valid, live AWS access tokens granting access to private cloud services, with nearly half exposing S3 buckets holding millions of files (September 2022). CloudSEK separately reported roughly one in 200 mobile apps leaking hardcoded private keys, including 40-plus apps with over 100 million combined downloads. The fix is architectural: secrets must live on a backend the client authenticates against, never in the shipped artifact.
Check your own repo for this
Connect a repo and Stateward reviews your next pull request — read-only, free for individuals and open source.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.