Interview › Security & DevSecOps
What do you do if a secret has already been committed and pushed? [Intermediate]
Answer
If a secret has been committed and pushed, treat it as compromised. Immediately revoke or rotate it, assess access logs for misuse, remove it from active code/config, purge history only as cleanup, and notify affected owners. Deleting the commit is not enough.
Technical explanation
Assume the secret may have been copied by clones, forks, CI logs, caches, or dependency mirrors.
Rotation should happen before or at least alongside history cleanup so the exposed value is no longer valid.
After remediation, add detection rules and preventive controls to avoid recurrence.
Hands-on example
Incident steps: 1) Identify secret type and scope. 2) Revoke/rotate in the source system. 3) Search logs for use after exposure. 4) Remove secret from repo and CI variables. 5) Use git-filter-repo/BFG if needed. 6) Add gitleaks and secret-manager integration.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]