Devops-Security

Comprehensive Secrets Management & Leakage Guide A practitioner’s reference for secrets sprawl, credential leakage, detection, remediation, and hardening. Compiled from 30 research sources covering GitGuardian State of Secrets Sprawl 2025/2026, OWASP Secrets Management Cheat Sheet, TruffleHog, Gitleaks, real-world breaches (Trivy/European Commission, Shai-Hulud, LiteLLM), AI-era leakage patterns, and vault/NHI governance guidance. Table of Contents Fundamentals & Impact Threat Landscape & Statistics Leak Locations & Attack Surface Secret Types & Regex Signatures JavaScript Bundle Extraction Mobile App Secret Extraction Cloud Metadata Exfiltration Environment Variable & File Leakage JWT Leaks & Validation Failures Git History Mining Secret Scanners Compared AI-Era Leakage Patterns Real-World Breaches Rotation & Incident Response Playbook Vaults & Secret Managers Developer Hygiene & Prevention Non-Human Identity Governance Quick Reference 1. Fundamentals & Impact A secret is any credential a machine or human uses to authenticate itself to another system: API keys, database passwords, private encryption keys, OAuth client secrets, tokens, SSH keys, TLS certificates, IAM credentials, webhook URLs, and service account JSON. Secrets are the connective tissue of modern distributed architectures, and they are simultaneously the shortest path from reconnaissance to full account takeover. ...

Software Supply Chain Security Guide A defender’s reference for software supply chain risks — threat model across the SDLC, package-registry attack patterns, CI/CD hardening, artifact provenance and signing, SBOMs, dependency scanning, case studies, and a checklist. Compiled from 29 research articles, advisories, and incident writeups. Table of Contents Fundamentals Threat Model Across the SDLC Package Registry Risks Dependency Confusion, Typosquatting, Slopsquatting Maintainer Account Compromise CI/CD Pipeline Hardening Container Image Provenance & Verification SLSA Framework Sigstore, Cosign, in-toto SBOMs (SPDX, CycloneDX) Dependency Scanning Tooling Developer Host Hardening Admission Control & Runtime Verification Case Studies — Defensive Lessons Detection Signals & IOCs Defender Checklist Reference Configurations 1. Fundamentals A software supply chain attack compromises a dependency, tool, build system, or distribution channel that the target trusts, rather than attacking the target directly. The malicious payload rides in on a routine npm install, pip install, docker pull, or CI build — bypassing perimeter defenses because the artifact appears legitimate. ...