DEV Community

Marcin Brzozka
Marcin Brzozka

Posted on

Catching Secrets in AI-Generated Code Before They Reach Git

AI coding assistants write fast — but they also hardcode API keys, tokens, and database URLs directly into your source files. A 2026 GitGuardian report found that 91.5% of vibe-coded applications had at least one vulnerability, and hardcoded secrets were among the most common findings.

The Problem: AI Code Leaks Secrets

When you use Cursor, GitHub Copilot, or Claude Code to generate code, the output often contains real connection strings, API keys, and credentials. The NCSC issued a formal warning about vibe coding risks in early 2026, noting that AI-generated code is 2.74 times more likely to introduce XSS vulnerabilities compared to manually written code.

The worst part: once a secret reaches Git, it is in the history forever. Even if you delete it in the next commit, the secret remains in the diff. GitHub secret scanning alerts you after the fact — but by then, the secret has already been pushed.

Pre-Commit Hooks: Your First Line of Defense

A pre-commit hook is a script that runs automatically every time you type git commit. If the hook finds a problem — like a hardcoded secret — it blocks the commit entirely. The code never enters your repository.

This is especially important for AI-generated code because AI tools frequently hardcode keys and tokens that a human developer would instinctively put in environment variables. Pre-commit hooks are Git-level, not editor-level — they fire regardless of which tool generated the code.

Setting Up Secret Detection in Pre-Commit

Here is a minimal .pre-commit-config.yaml that catches secrets before every commit:

repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.2
    hooks:
      - id: gitleaks
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: detect-private-key
      - id: detect-aws-credentials
        args: ['--allow-missing-credentials']
Enter fullscreen mode Exit fullscreen mode

Install it once:

pip install pre-commit
pre-commit install
Enter fullscreen mode Exit fullscreen mode

Now every git commit runs secret detection automatically. If Gitleaks finds a hardcoded AWS key, the commit is blocked. You fix the finding, re-commit, and the secret never reaches your repository.

What About Secrets Already in History?

Pre-commit hooks prevent future leaks, but what about secrets already committed? Tools like Gitleaks can scan your entire Git history:

gitleaks detect --source . --verbose
Enter fullscreen mode Exit fullscreen mode

If it finds a leaked credential, you need to rotate it immediately — just removing the secret from the current code is not enough, because it is still in the Git history. Rotate the key, then use git filter-repo to scrub it from history if needed.

The Full Defense: Diff-Level Scanning for AI Code

Pre-commit hooks catch secrets, but AI-generated code introduces other risks that secret scanners miss:

  • Scope creep — AI adds features you did not ask for
  • Config drift — AI changes .env, docker-compose, or settings files
  • Dependency risk — AI adds packages with known vulnerabilities
  • Injection patterns — SQL injection, XSS, path traversal that AI models frequently generate

This is where a diff-level scanner becomes essential. Instead of scanning your entire codebase, it examines only the changes that AI introduced — the exact diff between what you had and what the AI generated.

The Secret/Config Diff Scanner runs locally, scans your Git diff for secrets, config changes, and risky patterns, and outputs a JSON report you can integrate into your CI pipeline or review manually. It catches what secret-only scanners miss — because it looks at the change, not just the secret.

Practical Checklist: Catching Secrets Before Git

Use this checklist every time you work with AI-generated code:

  1. Install Gitleaks as a pre-commit hook — blocks commits containing secrets before they enter your repository
  2. Add detect-private-key and detect-aws-credentials hooks — catches common credential patterns
  3. Run git diff --staged before every commit — review exactly what you are about to commit
  4. Scan AI diffs with a diff-level tool — catches config drift, scope creep, and injection patterns that secret-only scanners miss
  5. Never commit .env files — add .env to .gitignore and use environment variables
  6. Rotate immediately if a secret is committed — removing it from code is not enough; it is still in Git history

Key Takeaways

  • AI coding tools hardcode secrets at an alarming rate — 91.5% of vibe-coded apps had at least one vulnerability (GitGuardian 2026)
  • Pre-commit hooks are the most effective single defense: they block secrets before they reach your repository
  • Secret-only scanners are necessary but not sufficient — you also need diff-level scanning for config drift, scope creep, and injection patterns
  • Rotate immediately if a secret reaches Git — removing it from current code does not remove it from history
  • Combine pre-commit hooks, diff scanning, and a structured review checklist for full coverage

Frequently Asked Questions

Can pre-commit hooks catch secrets that AI models hardcode?

Yes. Pre-commit hooks like Gitleaks scan the staged diff before it enters your repository. Whether a secret was typed by a human or generated by an AI model, the hook catches it at the same point: when you run git commit. AI-generated code frequently hardcodes API keys and connection strings that a human developer would put in environment variables, making pre-commit hooks especially important for AI-assisted development.

What is the difference between secret scanning and diff scanning?

Secret scanning (like Gitleaks or GitGuardian) looks for known secret patterns: AWS keys, database URLs, API tokens. Diff scanning (like the Secret/Config Diff Scanner) examines the full change that AI introduced, including config drift, scope creep, dependency additions, and injection patterns that secret-only scanners miss. Use both for full coverage.

What did the NCSC say about AI-generated code?

The UK's National Cyber Security Centre (NCSC) issued a formal warning about "vibe coding" risks, noting that AI-generated code is significantly more likely to introduce vulnerabilities. The GitGuardian 2026 State of Secrets Sprawl report found that 91.5% of vibe-coded applications had at least one vulnerability.

Does the Secret/Config Diff Scanner upload my code to a server?

No. The Diff Scanner runs entirely on your local machine. It reads your Git diff and produces a JSON report without sending any code to external servers.

What happens if a secret is already in my Git history?

If a secret has been committed to Git, removing it from the current code is not enough — it remains in the Git diff history. You must rotate the secret immediately (generate a new key and revoke the old one), then use git filter-repo to scrub it from history. Pre-commit hooks prevent future leaks; they do not fix past ones.


This article was originally published on CodeRiskTools.store. Check out our practical CLI tools for developers.

Top comments (0)