Secret Scanning with Gitleaks I have built a deliberately vulnerable Flask app to use as a target for building a real DevSecOps pipeline. The repo is at https://github.com/pkkht/devsecops-demo . This part covers the first gate in the pipeline — secret scanning. Why secrets in code are such a big deal? AWS access keys, API tokens, database passwords — they end up in source code more often than you would think. A developer hardcodes a key to test something locally, forgets to remove it, and commits it. If the repo is public even for a minute, bots are scanning GitHub continuously and will find it. It is one of the most preventable attack vectors and one of the most common. The fix is to catch it before the commit happens. The demo app already has secrets in it - intentionally added. We will use Gitleaks to catch the exposed secrets. What is Gitleaks Gitleaks is an open source secret scanner.…