You’ve likely heard of Schrödinger’s Cat from quantum mechanics—both alive and dead until the box is opened. This paradox mirrors a critical risk in modern development: the secrets embedded in your code. You might assume they’re long deleted, but until you examine the depths of commit history, you can’t be certain. Recently, Aqua Nautilus team uncovered that secrets you thought were removed may remain exposed for years, waiting to be found by malicious actors. In fact, our research found that nearly 20% of sensitive data in GitHub repositories slips past traditional scanners.
To tackle this, we’re excited to introduce historical secret scanning — empowering teams to detect and eliminate these “phantom” secrets before they can fall into the wrong hands.
The Hidden Threat of Phantom Secrets
During development or testing, developers often embed secrets — such as credentials, API tokens, and passkeys — directly into their code. However, this practice significantly increases the attack surface and is considered poor security hygiene. These secrets must be removed before code is pushed to production. While many scanners can detect the presence of secrets and accidental exposures, Aqua Nautilus has uncovered a hidden threat overlooked by most tools: even after secrets are removed, they can still be retrieved from the commit history.
This issue stems from a fundamental design flaw in Git-based infrastructure, described in depth in our blog “Phantom Secrets: Undetected Secrets Expose Major Corporations”. Since this architecture underpins most Source Code Management (SCM) systems — including GitHub, GitLab, and Bitbucket — it impacts nearly all popular DevOps platforms. In fact, our research found a vast number of secrets belonging to Fortune 500 companies on GitHub alone.
The implications are alarming: attackers can exploit these exposed secrets to move laterally within an organization’s environment, escalate privileges, and gain access to sensitive data. What is worse, most scanning tools fail to detect this hidden threat.
This is why we developed historical secret scanning.
Introducing Historical Secret Scanning
We are excited to release historical secret scanning to expand our code security capabilities powered by the most widely adopted cloud native scanner Aqua Trivy. This new feature addresses a critical and overlooked attack vector in developer environments — secrets that, though deleted from code, remain accessible in the commit history.
Historical secret scanning thoroughly scans and analyzes commit history to uncover hidden or deleted secrets that traditional scanners miss, enabling teams to eliminate these risks once and for all.
Key benefits of Aqua’s historical secret scanning include:
- Comprehensive visibility: Provides a complete view of all your secrets without blind spots.
- Enhanced detection: Accurately identifies deleted secrets within commit history, surpassing the capabilities of conventional scanners.
- Reduced attack surface: Teams can easily identify and take action to mitigate “phantom” secrets before they can be exploited by attackers.
- Stronger code security: Empowers developers to confidently release code, knowing there are no hidden risks.
Historical Secrets Scanning: How It Works
To detect “phantom” secrets, existing customers need to navigate to “Sensitive Data” tab in the platform and trigger a historical scan for specific code repository:
In a few minutes, you will see a detection screen with the findings:
To see historical secret scanning in action, watch this short demo:
Conclusion
Developers should remember that credentials, API tokens, and passkeys embedded in code can remain exposed for years, even after deletion. Aqua’s enhanced secret scanning provides complete visibility into your secrets without blind spots — including those buried in the commit history. This enables organizations to proactively mitigate these risks, reducing exposure to potential attacks and strengthening their overall security posture.
We invite you to try this new feature and share your feedback with us!