EPISODE · May 23, 2026 · 9 MIN
Why Your Secret Scanning Pipeline Should Run Before CI
from DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations · host Fexingo
Episode 6 of DevOps Daily with Fexingo tackles a common but dangerous assumption in modern CI/CD: that security scanning should happen after tests pass. Lucas and Luna walk through a real September 2025 incident at a fintech startup where a leaked AWS key in a public repo wasn't caught until 47 minutes after merge. They explain why shifting secret scanning to pre-commit hooks and pre-CI gates — with tools like Gitleaks, TruffleHog, and custom regex — prevents blast radius damage. The hosts debate trade-offs: developer friction versus runtime detection, false positive fatigue, and how to track scan coverage with a simple Service Level Objective. They also cite a 2025 GitGuardian report showing a 62 percent year-over-year increase in exposed credentials. The episode ends with a concrete three-step implementation checklist any team can adopt this week. No jargon for jargon's sake — just a focused case and a clear, actionable argument for changing when you scan. #SecretScanning #CI/CD #DevSecOps #Gitleaks #TruffleHog #GitGuardian #PreCommitHooks #SecurityPipeline #FintechSecurity #CloudSecurity #InfrastructureAsCode #ShiftLeft #ServiceLevelObjective #FalsePositive #DeveloperExperience #Technology #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
What this episode covers
Episode 6 of DevOps Daily with Fexingo tackles a common but dangerous assumption in modern CI/CD: that security scanning should happen after tests pass. Lucas and Luna walk through a real September 2025 incident at a fintech startup where a leaked AWS key in a public repo wasn't caught until 47 minutes after merge. They explain why shifting secret scanning to pre-commit hooks and pre-CI gates — with tools like Gitleaks, TruffleHog, and custom regex — prevents blast radius damage. The hosts debate trade-offs: developer friction versus runtime detection, false positive fatigue, and how to track scan coverage with a simple Service Level Objective. They also cite a 2025 GitGuardian report showing a 62 percent year-over-year increase in exposed credentials. The episode ends with a concrete three-step implementation checklist any team can adopt this week. No jargon for jargon's sake — just a focused case and a clear, actionable argument for changing when you scan. #SecretScanning #CI/CD #DevSecOps #Gitleaks #TruffleHog #GitGuardian #PreCommitHooks #SecurityPipeline #FintechSecurity #CloudSecurity #InfrastructureAsCode #ShiftLeft #ServiceLevelObjective #FalsePositive #DeveloperExperience #Technology #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
NOW PLAYING
Why Your Secret Scanning Pipeline Should Run Before CI
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Mar 19, 2026 ·34m
Feb 18, 2026 ·11m
Feb 11, 2026 ·45m