Interview › Security & DevSecOps
What is secrets scanning, and how do you stop secrets being committed to Git? [Intermediate]
Answer
Secrets scanning detects credentials accidentally committed to source code, images, logs, or configuration files. To stop secrets from reaching Git, I use pre-commit hooks, server-side scanning, PR checks, developer education, and patterns that avoid static credentials in the first place.
Technical explanation
Tools include gitleaks, trufflehog, GitHub secret scanning, GitLab secret detection, and enterprise DLP controls.
Pre-commit checks give fastest feedback, but server-side scanning is still needed because local hooks can be bypassed.
The best prevention is workload identity/OIDC and secret managers so developers do not handle long-lived keys.
Hands-on example
Hands-on:
gitleaks detect --source . --redact --exit-code 1
Add it to pre-commit and CI. Configure branch protection so the PR cannot merge if a secret is detected. For cloud access, use GitHub OIDC to assume a role instead of storing AWS keys.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]