Removing a leaked key from the code isn't enough β if it was never rotated it's still a valid way in. We look for secrets in your git history and flag every hit that must be rotated.
Run a free domain scan All checks βWe scan your git history for leaked secrets (API keys, tokens, passwords, private keys) and classify type and location. A leaked secret must be treated as compromised and rotated β we do NOT determine whether it is still active by using it (we don't); we flag it as a potential exposure requiring rotation.
A removed key remains in git history forever β and an attacker reads the history, not just the latest commit. If the key wasn't rotated, it doesn't matter that it was 'removed'. Rotation after exposure is the only action that actually closes the door.
Do you use the leaked keys?
No β we detect the exposure in history without using the keys. We can't determine whether a key is still active without using it, so we flag every hit for rotation.
Is removing the key enough?
No β it remains in git history. Only rotation makes the leaked key worthless to an attacker.
Does code have to leave us?
No β the history scan can run self-hosted in your environment.
Run a free scan or order a full Security Assessment β prioritised, not noise.
Run a free domain scan