The Secrets Sprawl Problem
Why hardcoded secrets are dangerous.
What Is Secrets Sprawl?
Secrets sprawl is the uncontrolled spread of sensitive credentials across an organization. A secret is anything that grants access: API keys, database passwords, OAuth tokens, TLS private keys, SSH keys, and encryption keys.
Sprawl happens when these secrets end up scattered in places they should never live:
- Source code and config files
- CI/CD pipelines and environment variables
- Container images and infrastructure-as-code
- Chat messages, wikis, and ticketing systems
Once a secret exists in many places, you lose the ability to track, rotate, or revoke it reliably.
The Hardcoded Secret
The most common root cause is the hardcoded secret a credential written directly into source code. It feels convenient during development but becomes a permanent liability.
Here is what a hardcoded database password looks like in application code:
Anyone with read access to this file now has the production password. That includes every developer, every CI runner, and anyone who later clones the repo.
# config.py (ANTI-PATTERN - do not do this)
DB_HOST = "prod-db.internal"
DB_USER = "app_service"
DB_PASSWORD = "S3cr3t!Pr0d_2024" # hardcoded - dangerous
API_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc"All lessons in this course
- The Secrets Sprawl Problem
- Vaults and Secret Stores
- Dynamic Secrets and Leasing
- Key Rotation and Detection