• Never commit real credentials or API keys.
• Store runtime secrets in Google Secret Manager or GitHub Actions Secrets.
• Rotate API keys immediately after any suspected exposure.

Install repository hooks:

./scripts/security/install-git-hooks.sh

This enables .githooks/pre-push, which runs scripts/security/scan-secrets.sh.

• .github/workflows/ci-security.yml runs:
  • gitleaks secret scan
  • basic smoke checks

1. Revoke exposed key(s).
2. Rotate replacements.
3. Rewrite git history if committed.
4. Re-scan repos and verify active keys.