Secrets don’t just leak from Git. They accumulate in filesystems, env vars, and agent memory. See how to find them, stop the bleed, and protect your whole supply chain

GitGuardian Blog provides insights, tutorials, and updates on secrets management, code security, and developer best practices. Covering topics such as credential leaks, code scanning, and secure development workflows, GitGuardian Blog offers resources for developers, security professionals, and DevOps teams. Readers can learn about detecting and preventing secrets exposure, securing code repositories, and implementing secure coding practices through GitGuardian's articles and security guides.

GitGuardian

Developer workstations have become prime targets for supply chain attacks because they hold plaintext credentials in .env files, shell profiles, Git history, and now AI agent memory files. Attackers like the Shai-Hulud and S1ngularity campaigns systematically harvest these local secrets at scale. Practical mitigations include scanning the local filesystem with ggshield, using pre-commit hooks, migrating secrets to vaults (1Password, CyberArk Conjur), encrypting .env files with SOPS, setting a global .gitignore, and treating AI agent memory as a sensitive data store. Longer-term strategies involve eliminating whole secret categories via WebAuthn/passkeys and OIDC federation, and adopting ephemeral credentials with SPIFFE/SPIRE for workload identity.

Protecting Developers Means Protecting Their Secrets

Why Developers Have Become Targets For Supply Chain Attacks