Secrets
What is Credential Leakage?
Also known as: Credential Exposure · Credential Leak · 크리덴셜 노출 · 자격증명 유출
The accidental disclosure of a credential to someone who should not have access — an API key committed to a public repo, a token printed in a log, a secret pasted in Slack, a .env file bundled into a client-side JavaScript build. Different from Secret Sprawl (an inventory problem): leakage is an active exposure event that needs immediate rotation, scope review of what the credential could reach, and forensic review of logs.
More terms in Secrets
- CredentialAny secret value that proves an identity to a system — a password, API key, OAuth token, TLS private key, SSH key, or JWT. In NHI security, "credential" usually refers to the machine-to-machine secret, not a human password. The word is used interchangeably with "secret" in most operational contexts.
- Secret ScanningThe process of automatically searching code repositories, CI logs, container images, SaaS documents, chat transcripts, and other locations for accidentally committed credentials. Modern secret scanning goes beyond regex (which produces noise) to use entropy analysis, contextual parsing, and provider-specific validators that prove a leaked key is actually live before paging the owner. Cremit Argus runs this across public and private code plus SaaS surfaces.
- Secret SprawlThe condition where credentials, API keys, and tokens are scattered across code repositories, CI systems, environment variable stores, chat messages, wikis, and documents without a single inventory or ownership record. Rotating a single value becomes expensive because the team does not know how many copies exist.