What do I do if a security scan finds a secret?
All secrets detected by a security scan should be considered compromised. Once a secret is committed, it is indexed by Bitbucket, and anyone with read access to the repository, project, or the whole Bitbucket instance could have obtained a copy. Scrubbing the secret from git history doesn’t sufficiently remediate risk.
Soteri recommends to:
Change the secret.
If a password is found, change it.
If an access token is found, generate a new access token and update your services to use the new token. Once all your services have been updated, revoke the old token.
Delete the secret from code. Secrets in code, revoked or not, send the signal to code contributors that secrets can be committed to code.
Enable Security For Bitbucket’s pre-commit hook. This is the best way to ensure that secrets don’t end up in Bitbucket again.