Prevent Storing Secrets in Software Repositories
Code commits are scanned for secrets to ensure they aren't saved in the main software repository.
Plain language
This control is all about making sure that sensitive information, like passwords or secret keys, never ends up in the main storage area where your software code lives. This matters because if these secrets get exposed, hackers could access your systems, causing financial loss and damaging your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentTopic
Software ArtefactsOfficial control statement
Scanning is used during commits to identify plain text or encoded secrets and keys, which are then blocked from being stored in the authoritative source for software.
Why it matters
If secrets are stored in repositories, they can be exposed in code leaks, giving attackers access to critical systems and data.
Operational notes
Update pre-commit secret scanning patterns regularly and ensure alerts are triaged quickly to block commits with keys.
Implementation tips
- The IT team should use tools that scan code for sensitive information. They can set up software to automatically check new code for things like passwords or secret keys before it's saved where anyone can see it.
- Developers should be trained to recognise sensitive information in their code. This involves running training sessions to help them understand what types of data should never be included in the main codebase.
- Managers need to enforce strict policies about who can approve code changes. This means only letting trusted team members sign off on code before it's added to the main repository, ensuring there's a second pair of eyes on important updates.
- The IT team should regularly review the repository to ensure no secrets have slipped through. They can perform periodic manual checks as a backup to automated scans.
- System owners should ensure there's a process for safely managing secrets. This involves using secure tools designed for storing sensitive information, like passwords, and educating the team on how to use them.
Audit / evidence tips
-
Aska list of tools used to scan for sensitive information: Verify that tools are configured to scan all new code commits
Goodincludes an updated list with recent scan logs confirming active scanning
-
Goodshows mandatory, regularly scheduled training sessions with all developers having attended within the past six months
-
Askpolicies on who can approve code changes
Goodincludes a document that lists authorised personnel and details an approval checklist, ensuring multiple approvals or reviews where needed
-
Goodshows regular reviews with documented corrective actions taken when issues were found
-
Askto see the secure storage toolset for secrets: Ensure that tools like password managers or secret stores are being used
Goodincludes evidence of active usage, including some anonymised entries and policies governing their use
Cross-framework mappings
How ISM-2030 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.25 | ISM-2030 requires commit-time scanning to identify and block secrets and keys from being stored in the authoritative software repository | |
| Annex A 8.28 | ISM-2030 requires scanning during commits to detect and block plaintext or encoded secrets/keys from being committed to the authoritative... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.