audit: Secrets, credentials, and configuration security

[Snider]

Security Audit: Secrets & Configuration

Hunt for exposed secrets and insecure configuration.

Secret Detection

Scan for:

1. API Keys - AWS, GCP, Azure, Stripe, etc.
2. Passwords - Hardcoded in code/config
3. Tokens - JWT secrets, OAuth tokens
4. Private Keys - SSH, SSL/TLS, signing keys
5. Database Credentials - Connection strings

Check Locations

• Source code (all files)
• Configuration files
• Environment files (.env, .env.example)
• Docker files
• CI/CD configs
• Git history

Configuration Security

1. Default Credentials - Changed from defaults?
2. Debug Mode - Disabled in production?
3. Error Verbosity - Leaking stack traces?
4. CORS Policy - Too permissive?
5. Security Headers - CSP, HSTS, etc.?

Output

Save to AUDIT-SECRETS.md

Do not include actual secret values - just location and type.

[google-labs-jules]

Jules is on it. When finished, you will see another comment and be able to review a PR.

[google-labs-jules]

Ready for a review! A PR has been created.