Security check

Secrets rotation: find leaked keys that must be rotated

Removing a leaked key from the code isn't enough β€” if it was never rotated it's still a valid way in. We look for secrets in your git history and flag every hit that must be rotated.

Run a free domain scan All checks β†’
Relates to: ISO 27001 Β· A.8.24 cryptography / A.5.17 authentication info SOC 2 Β· CC6.1 credentials NIS2 Β· art. 21 β€” cryptography & access OWASP Β· Secrets Management

What we check

We scan your git history for leaked secrets (API keys, tokens, passwords, private keys) and classify type and location. A leaked secret must be treated as compromised and rotated β€” we do NOT determine whether it is still active by using it (we don't); we flag it as a potential exposure requiring rotation.

Why it matters

A removed key remains in git history forever β€” and an attacker reads the history, not just the latest commit. If the key wasn't rotated, it doesn't matter that it was 'removed'. Rotation after exposure is the only action that actually closes the door.

How Security Guru tests it

Common mistakes

  • Removing the key from the latest commit but leaving it in history
  • Assuming a 'removed' key is safe without rotating
  • No routine for rotation when a leak is discovered
  • Long-lived keys that never expire and are never changed

What you get in the report

  • Leaked secrets in history with type and location
  • All leaked secrets β€” treated as potentially active β€” that must be rotated now
  • Prioritisation by what the key grants access to
  • Recommended rotation routine and shorter key lifetime

FAQ

Do you use the leaked keys?

No β€” we detect the exposure in history without using the keys. We can't determine whether a key is still active without using it, so we flag every hit for rotation.

Is removing the key enough?

No β€” it remains in git history. Only rotation makes the leaked key worthless to an attacker.

Does code have to leave us?

No β€” the history scan can run self-hosted in your environment.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan