Hosting Operations

Detect Secret Leak Markers in Artifacts

Before publishing or sharing CI artifacts, you need a quick read-only scan for obvious secret-like markers.

Command

grep -RInE 'AWS_ACCESS_KEY|SECRET|TOKEN|PRIVATE KEY|PASSWORD' artifacts logs | head -50

What changed

Nothing changes. Matching secret-like strings are printed for review.

Danger

safe

When to use it

Use before uploading, sharing, or attaching CI artifact bundles to tickets.

When not to use it

Do not treat this as a complete secret scanner; use a dedicated scanner for enforcement.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Any obvious secret marker lines found in logs or artifacts.

demo script

Disposable terminal steps

cd /lab/ci-artifacts && grep -RInE 'AWS_ACCESS_KEY|SECRET|TOKEN|PRIVATE KEY|PASSWORD' artifacts logs | head -50
cd /lab/ci-artifacts && grep -RInE 'AWS_ACCESS_KEY|SECRET|TOKEN|PRIVATE KEY|PASSWORD' artifacts logs | cut -d: -f1 | sort -u
cd /lab/ci-artifacts && sed -n '1,60p' logs/deploy.log

Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel

::fixture-ready::
$ cd /lab/ci-artifacts && grep -RInE 'AWS_ACCESS_KEY|SECRET|TOKEN|PRIVATE KEY|PASSWORD' artifacts logs | head -50
logs/deploy.log:2:Using TOKEN=redacted-demo-token in debug environment
::exit-code::0
$ cd /lab/ci-artifacts && grep -RInE 'AWS_ACCESS_KEY|SECRET|TOKEN|PRIVATE KEY|PASSWORD' artifacts logs | cut -d: -f1 | sort -u
logs/deploy.log
::exit-code::0
$ cd /lab/ci-artifacts && sed -n '1,60p' logs/deploy.log
Deploy started
Using TOKEN=redacted-demo-token in debug environment
Uploading artifacts/dist
Deploy failed: missing artifacts/dist/robots.txt
::exit-code::0

YouTube Short

Scan artifacts before sharing.

Before you attach CI artifacts to a ticket, search for obvious secret markers. It is fast and read-only.

experiments

A/B tests to run

Metric: linkedin_save_rate

A: Artifacts are public more often than you think.

B: Scan CI artifacts before sharing.