Devops-Security

Comprehensive Secrets Management & Leakage Guide

Comprehensive Secrets Management & Leakage Guide A practitioner’s reference for secrets sprawl, credential leakage, detection, remediation, and hardening. Compiled from 54 research sources covering GitGuardian State of Secrets Sprawl 2025/2026, OWASP Secrets Management Cheat Sheet, TruffleHog, Gitleaks, real-world breaches (Trivy/European Commission, Shai-Hulud, LiteLLM, EleKtra-Leak, .env extortion campaigns, GCP SecOps SIEM token leak), AI-era leakage patterns (Claude Code source leak, vibe-coding fingerprints, ChatGPT API key exposure), certificate/private key leak research (Google-GitGuardian), GitHub search syntax for secret discovery, vault hardening (HashiCorp Vault production guide, AWS SM vs Vault, Infisical, SOPS+age), Terraform/Kubernetes secrets management, IAM Roles Anywhere, shift-left speed budgets, and NHI governance guidance. ...

April 10, 2026 · 46 min · Carl Sampson

Software Supply Chain Security Guide

Software Supply Chain Security Guide A defender’s reference for software supply chain risks — threat model across the SDLC, package-registry attack patterns, CI/CD hardening, artifact provenance and signing, SBOMs, dependency scanning, case studies, and a checklist. Compiled from 54 research articles, advisories, and incident writeups in raw/Supply Chain/. Table of Contents Fundamentals Threat Model Across the SDLC Package Registry Risks Dependency Confusion, Typosquatting, Slopsquatting Maintainer Account Compromise CI/CD Pipeline Hardening Container Image Provenance & Verification SLSA Framework Sigstore, Cosign, in-toto SBOMs (SPDX, CycloneDX) Dependency Scanning Tooling Developer Host Hardening Admission Control & Runtime Verification Case Studies — Defensive Lessons Detection Signals & IOCs Defender Checklist Reference Configurations 1. Fundamentals A software supply chain attack compromises a dependency, tool, build system, or distribution channel that the target trusts, rather than attacking the target directly. The malicious payload rides in on a routine npm install, pip install, docker pull, or CI build — bypassing perimeter defenses because the artifact appears legitimate. ...

April 10, 2026 · 40 min · Carl Sampson