Episode 30 · Module 7 · Data Protection

Secrets Management

19 May 2026 · 8:04 · Security for Legal SaaS

8:04 8:04

In Episode 29, we covered cryptographic key management — the infrastructure protecting your encryption keys. But encryption keys are only one type of secret your application depends on. Every legal SaaS platform runs on dozens of secrets: database passwords, API keys for e-filing integrations, LLM provider tokens, OAuth client secrets, SMTP credentials, and webhook signing keys. If any of these leak, an attacker doesn't need to break your encryption — they walk through the front door.

Today’s Lesson

Security for Legal SaaS — Episode 30: Secrets Management

If It's in Your Git History, It's Not a Secret

GitGuardian's 2025 State of Secrets Sprawl Report found that 23.8 million secrets were leaked on public GitHub repositories in 2024 — a 25% increase year-over-year. Worse, 70% of secrets detected in 2022 were still active two years later. Nobody revoked them.¹

This episode covers the secrets lifecycle: how to generate, store, distribute, rotate, and revoke the credentials that keep your system running.

What Counts as a Secret

A secret is any credential, token, or key that grants access to a system or resource. In a typical legal SaaS stack:

Secret Type	What It Accesses	Risk If Leaked
Database connection string	Production database with client case data	Full data exfiltration
LLM API key (OpenAI, Anthropic)	AI model endpoints; billed per-token	Financial abuse + data exposure via prompts
OAuth client secret	Identity provider integration (Okta, Azure AD)	Account impersonation
SMTP credentials	Email sending (client notifications, e-filing confirmations)	Phishing from your domain
Webhook signing key	Verification of inbound webhooks (payment processors, court APIs)	Forged event injection
Cloud IAM credentials	AWS/GCP/Azure infrastructure	Full infrastructure compromise

Every one of these is a skeleton key to a different room in your building. Secrets management is about ensuring none of them are lying on the floor.

The Secrets Lifecycle

The OWASP Secrets Management Cheat Sheet defines five stages:²

1. Generation

Secrets must be generated with sufficient entropy using cryptographically secure random number generators (CSPRNGs — as we introduced in Episode 19). Never use predictable patterns, sequential values, or human-chosen passwords for machine credentials. API keys should be at least 256 bits of randomness.

2. Storage

Secrets belong in a dedicated secrets manager — never in source code, environment files checked into version control, or configuration management databases.

The .env trap: Many developers store secrets in `.env` files during development. The problem arrives when `.env` gets committed to git. Removing it from the current branch does not remove it from git history. Every clone of the repository — every developer's laptop, every CI runner, every fork — contains the full history, including the secret. Git history is permanent.³

3. Distribution

Secrets must reach your application at runtime without passing through insecure channels. The two dominant patterns:

Pattern	How It Works	Example
Pull-based	Application authenticates to secrets manager and retrieves secrets at startup	App uses IAM role to pull from AWS Secrets Manager
Injection-based	Orchestration platform injects secrets as environment variables at deployment	Kubernetes Secrets mounted as volumes; CI/CD variable injection

Pull-based is generally preferred because the application authenticates independently, and secrets are never written to disk or deployment manifests.⁴

4. Rotation

Secrets should have defined lifetimes. Dynamic secrets — short-lived credentials generated on demand — are the gold standard. HashiCorp Vault's dynamic secrets engine can generate database credentials that automatically expire after a configurable TTL (time to live, as we covered in Episode 19). The application requests credentials, uses them for the session, and they self-destruct.⁵

5. Revocation

When a secret is compromised — or when an employee leaves, a service is decommissioned, or a vendor relationship ends — the secret must be immediately revoked. This requires a centralised system that knows every active secret and can invalidate any of them instantly.

Secrets Managers Compared

Tool	Type	Dynamic Secrets	Secret Scanning	Best For
HashiCorp Vault	Self-hosted or managed	Yes (database, cloud, PKI)	No (pair with scanner)	Full lifecycle; multi-cloud
AWS Secrets Manager	Managed	Yes (RDS rotation)	No	AWS-native stacks
Doppler	Managed	No	Yes (drift detection)	Developer experience; small teams
1Password for Teams	Managed	No	CLI integration	Shared team secrets; non-engineering

For legal SaaS platforms, the minimum viable setup is: a managed secrets manager (AWS Secrets Manager or Vault), pre-commit secret scanning in CI, and a documented rotation policy.⁶

Secret Scanning: Catching Leaks Before They Ship

The defence against accidental commits is a pre-commit hook that scans staged changes for patterns matching known secret formats. Tools include:

**Gitleaks** — open-source, regex-based, fast
**GitGuardian** — SaaS with GitHub/GitLab integration; detects 350+ secret types
**TruffleHog** — open-source; verifies whether detected secrets are still active
GitHub Push Protection — native GitHub feature that blocks pushes containing recognised secret patterns⁷

The AI complication: GitHub Copilot usage increased 27% between 2023 and 2024. Repositories using Copilot had a 6.4% secret leakage rate — AI code completion can suggest patterns that include placeholder credentials matching real formats.⁸

LLM API Keys: A Special Case

LLM API keys deserve particular attention for legal SaaS:

High financial exposure. A leaked OpenAI or Anthropic API key can generate thousands of dollars in charges within hours.
Data exposure. If an attacker uses your API key, they can send prompts containing your clients' legal documents to the model provider — and those prompts may be logged.
Per-environment isolation. Development, staging, and production must use separate API keys. A developer's test key should never have access to production-tier models or billing.
Rate limiting and spend caps. Configure provider-side spending limits and alert thresholds so a compromised key burns through a cap, not your budget.

Real-World Secret Leaks in Legal and Professional Services

Incident	What Happened	Impact
Uber (2016)	Engineers stored AWS credentials in a private GitHub repository; attackers found them	57 million records exposed; $148 million settlement
Samsung (2022)	Employees pasted proprietary source code — including secret keys — into ChatGPT prompts	Internal secrets exposed to a third-party AI provider; Samsung banned ChatGPT internally
CircleCI (2023)	An engineer's laptop was compromised, exposing the master encryption key that protected all customers' secrets in the CI/CD platform	Every customer secret potentially exposed; immediate rotation required across all customers

For legal SaaS, the Samsung case is particularly instructive. As legal teams adopt AI coding assistants and LLM-powered research tools, the risk of accidentally pasting secrets — API keys, credentials, even privileged client data — into third-party AI prompts is growing. Secret scanning should cover not just git commits but also AI tool integrations.¹⁰

The 96% stat: GitGuardian found that 96% of leaked GitHub tokens had write access — not just read access. A compromised token doesn't just let an attacker see your code. It lets them modify it, inject backdoors, or push malicious releases. For a legal SaaS platform, that means a leaked deployment token could allow an attacker to push code that exfiltrates client data.¹

The Twelve-Factor App and Configuration

The Twelve-Factor App methodology, widely adopted in modern SaaS development, states: "Store config in the environment." Configuration that varies between deployments — including secrets — should come from environment variables, not from files in the codebase. This principle keeps secrets out of version control by design.⁹

But environment variables have their own risks. They appear in process listings (`ps aux`), crash dumps, and logging frameworks that capture the full environment. The safest approach is to use environment variables as pointers to a secrets manager, not as the secrets themselves: `DATABASE_URL_SECRET_ARN=arn:aws:secretsmanager:...` rather than `DATABASE_URL=postgres://user:password@host/db`.

What's Next

Episode 31 covers PII Handling and Anonymisation — how to classify, minimise, and protect personally identifiable information in legal tech, where personal data is often also privileged data.

Sources & Further Reading

Sources & references

GitGuardian, State of Secrets Sprawl 2025 — 23.8 million secrets leaked on public GitHub in 2024; 70% of 2022 secrets still active in 2024.
OWASP, Secrets Management Cheat Sheet.
Snyk, Why 28 Million Credentials Leaked on GitHub in 2025 — git history permanence and remediation challenges.
Palo Alto Networks, The Top 5 Secrets Management Mistakes and How to Avoid Them.
HashiCorp, Vault Secrets Management Tutorials — Dynamic Secrets.
OWASP, Non-Human Identities Top 10: NHI2:2025 Secret Leakage.
GitGuardian, The State of Secrets Sprawl 2025 — Push Protection.
GitGuardian, 70% of Leaked Secrets Stay Active Two Years Later — Copilot secret leakage rate.
Twelve-Factor App, III. Config.
InfoQ, Secret Sprawl in Public Repos is Worse Than Ever.

Alice: Welcome back to Security for Legal SaaS. I'm Alice.

Dan: And I'm Dan. Episode 30 — secrets management. Last episode was about cryptographic keys. This time we're talking about all the other credentials — the API keys, database passwords, and tokens your application needs to function. Alice, how big is this problem really?

Alice: Bigger than most people realise. GitGuardian's 2025 report found that 23.8 million secrets were leaked on public GitHub repositories in a single year. And here's the part that keeps me up at night — 70% of secrets that leaked in 2022 were still active two years later. Nobody revoked them. Nobody rotated them. They're just sitting there, working, waiting for someone to find them.

Dan: Twenty-three million. And when you say "secrets," you mean more than just passwords?

Alice: Much more. A secret is anything that grants access to a system. For a legal SaaS platform, that's your database connection string — which gives access to every client's case data. It's your LLM API key — which someone could use to run up thousands of dollars in charges and potentially expose client documents in prompts. It's your OAuth client secret for your Okta or Azure AD integration, your SMTP credentials for sending e-filing confirmations, your webhook signing keys for verifying court API callbacks. Each one is a skeleton key to a different room in your building.

Dan: Right. So where do people go wrong? What's the most common mistake?

Alice: <sigh> Putting secrets in source code. Or in a .env file that gets committed to git. Here's what developers often don't realise: removing a file from the current branch does not remove it from git history. Git is an append-only ledger — every commit ever made is preserved. So when you commit a .env file with your database password, realise the mistake, and delete it in the next commit — the password is still in the repository's history. Every clone of that repo, every developer's laptop, every CI runner that ever checked it out — they all have it. It's like shredding a document after you've already photocopied it and mailed copies to fifty people.

Dan: Hmm. That's a pretty sobering analogy. So where should secrets live?

Alice: In a dedicated secrets manager. Think of it as a specialised vault — separate from your code, separate from your database, with its own access controls and audit logging. The big names are HashiCorp Vault, AWS Secrets Manager, and for smaller teams, Doppler. The idea is the same as key management from last episode — your application authenticates to the secrets manager at startup, pulls the credentials it needs, and uses them. The secrets never appear in your codebase, never get written to a config file on disk, never show up in a deployment manifest.

Dan: Yeah. And how does the application prove it's allowed to access the secrets?

Alice: Good question. The most secure pattern is cloud-native identity. On AWS, your application runs with an IAM role — an identity assigned by the cloud platform itself. The application doesn't carry any credential to authenticate to the secrets manager; the cloud platform vouches for it based on where it's running. It's like a building with badge access — you don't need a key because the building already knows who you are based on your badge. No credential to steal.

Dan: Mm-hmm. Now, you mentioned rotation. How does that work with secrets that aren't encryption keys — like database passwords?

Alice: The gold standard is dynamic secrets. Instead of creating a database password and using it for months, your secrets manager generates a fresh credential on demand every time your application starts or every few hours. HashiCorp Vault is especially good at this. Your app says "I need database access," Vault creates a temporary user with just the permissions the app needs, and that credential automatically expires after a configured time — maybe an hour, maybe a day. If an attacker somehow steals that credential, it's already dead by the time they try to use it.

Dan: That's clever. What about scanning for secrets that have already leaked?

Alice: Prevention and detection. For prevention, you install a pre-commit hook — a check that runs automatically before any code is committed to the repository. Tools like Gitleaks, GitGuardian, and TruffleHog scan your staged changes for patterns that look like API keys, database URLs, or tokens. If they find one, they block the commit before it ever reaches the repository. GitHub also has a built-in feature called Push Protection that does this at the server level.

Dan: And for secrets that are already out there?

Alice: You run a full-history scan — TruffleHog can crawl every commit in a repository's history and even verify whether the detected secrets are still active. The realistic response to finding a leaked secret is: revoke it immediately, generate a new one, and update whatever system uses it. Don't just delete the file and hope nobody noticed. Assume it's been scraped.

Dan: Mm. There's an AI angle here too, isn't there? A lot of legal SaaS tools are integrating LLMs now.

Alice: Yes, and LLM API keys deserve special attention. Three reasons. First, financial exposure — a leaked key can generate thousands of dollars in model usage within hours, and you're paying the bill. Second, data exposure — if an attacker uses your API key to send prompts, those prompts might contain your clients' legal documents, and they may be logged by the model provider. Third, the AI coding tools themselves are part of the problem. GitGuardian found that repositories using GitHub Copilot had a 6.4% secret leakage rate. The AI suggests code patterns that include credentials matching real formats.

Dan: Yeah, that's an ironic twist — AI tools creating AI security problems. What about the Twelve-Factor App methodology? I've heard that mentioned in the context of configuration.

Alice: The Twelve-Factor App says "store config in the environment" — meaning secrets should come from environment variables, not from files in your codebase. That's the right starting point. But environment variables have their own risks. They show up in process listings, in crash dumps, and in logging frameworks that capture the full environment. So the refinement is: use environment variables as pointers to your secrets manager, not as the secrets themselves. Instead of putting the actual database password in an environment variable, you put the reference — like an AWS Secrets Manager ARN — and the application resolves it at runtime.

Dan: Mm. So the environment variable says "go look in this vault," not "here's the combination."

Alice: Exactly. The variable is a map to the treasure. Not the treasure itself. And that distinction — between holding a reference and holding the actual secret — is the core principle of every good secrets management architecture.

Dan: Next episode — PII Handling and Anonymisation. How to classify and protect personally identifiable information, especially when that PII is also legally privileged.

Alice: Until then, I'm Alice.

Dan: And I'm Dan.

Alice: Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.

Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.