Skip to content
Thav Global Solutions
All insights
Infrastructure19 May 20266 min read

Where secrets live, and where they never do

A credential committed to a repository is a credential you have to assume is public. Keeping secrets out of the codebase, and out of human hands, is a design decision made once and enforced everywhere.

Infrastructure Practice

A secret that lands in a code repository has, for practical purposes, escaped. It is copied to every clone, preserved in history long after it is deleted from the latest commit, and exposed to everyone who can read the project. The only safe assumption is that a committed credential is a compromised one. So the rule is absolute: secrets never touch the repo.

Managed, short-lived, and fetched at runtime

Credentials live in a managed secrets store, not in files, not in values baked into a pipeline, not in a developer's notes. The application reads them at runtime through an adapter, and the identities that grant access are short-lived rather than standing. A credential that exists for minutes and is scoped to one task is a far smaller prize than a long-lived key with broad rights sitting in a config file.

Assume a mistake will happen, and catch it

Discipline is necessary but not sufficient, because people make mistakes under deadline. So the prohibition is backed by automation that does not get tired: secret scanning runs in continuous integration and blocks a merge that would introduce a credential, before it ever reaches the shared history. The goal is not to trust that no one will ever paste a key; it is to make sure that if someone does, it is caught at the door.

  • Secrets stored in a managed vault, never in the repository or its history.
  • Short-lived, least-privilege identities instead of standing, broadly scoped keys.
  • Secret scanning in CI, so an accidental credential fails the build rather than shipping.
  • Rotation as a routine operation, so any credential's useful lifetime is bounded by design.

Deleting a secret from the latest commit does not delete it from history. By then, the only safe move is to rotate it.

What this buys the institution

Keeping secrets out of the codebase makes the repository safe to share with reviewers, auditors, and new engineers without handing anyone the keys to production. A leaked clone becomes a leak of code, not of access. And because credentials are short-lived and centrally managed, revoking or rotating them is a controlled operation rather than a frantic search through files no one fully remembers writing.

More insights

Security6 min read

The audit log that cannot be quietly edited

Who read this record, who changed it, and when. A system that holds sensitive data has to answer that honestly, which means the people with the most access need the least ability to rewrite the answer.

17 June 2026
Delivery7 min read

The system advises, the officer decides

Software can sort, surface, and flag faster than any person. What it should not do is make the final call on a human being. Keeping a trained official in the decision is both an ethical line and an engineering one.

10 June 2026
Engineering6 min read

Giving the browser less to give away

Security-relevant logic never ships to the client, but the client is still worth hardening. Stripping a production build and locking down the page does not keep secrets. It raises the cost of every other attack.

2 June 2026

Planning a new system, or need an independent assessment?

Whether you are modernizing a legacy platform or testing the one you already run, we will tell you plainly what it takes and where the risk is.

Start a conversation