Secrets embedded in source code pose a risk to developers and the organizations they work in. Secrets can be used to take over both user and service accounts, which can lead to sensitive data exposure, operational risks, and financial or reputational damage.

There are many commercial and open source projects available to detect hardcoded secrets, but mitigating — by removing, obfuscating, or rotating — exposed secrets is extremely hard. For example, rotating a secret tied to a service in your cloud environment can cause a denial of service across your application if that service is consumed by other code where the secret is not detected. This may be the case even if the secret is stored securely in a secrets management service.