// first 10 minutes
API key leak / repo compromise — quick-start
API key leak — first 10 minutes. rotate first, investigate second. print this, check boxes, then run the primary tools.
checklist
- rotate or revoke the leaked credential immediately — do not wait for root cause; the key is already public.
- identify every service the key had access to and scope what actions it permitted.
- pull API gateway, CloudTrail, or provider audit logs for the leaked key for the full exposure window.
- check for new IAM users, roles, or service accounts created using the leaked key.
- check for new EC2, Lambda, or compute instances spun up under the leaked credentials.
- export provider cost anomalies for the period — cryptomining and data egress spike the bill before anything else.
- check git history, CI/CD logs, npm publish logs, and S3 access logs for where the key was used or exposed.
- identify which repo commit or CI artifact first exposed the key — use git log --all -S with the key fragment.
- notify any third parties whose data was accessible under the leaked key's permissions.
- begin the primary tool path below — leaked credential scope analyzer and cloud audit log correlator.
primary tools
- 01git repository forensic analyzerdrop a .git directory or git bundle file · extract full commit history · recover deleted commits via reflog · stash contents · author metadata · file change history · detect secret leaks in history · runs locally
- 02github audit log parserjson or jsonl audit export · action actor org repo · repo org hook oauth protected branch secret scanning · suspicious flags · export csv · runs locally
- 03github audit log analyzerdrop github enterprise audit log json or csv export · parse repository and organization events · surface suspicious access patterns force pushes secret scanning alerts and member changes · reconstruct git activity timeline · runs locally
- 04aws cloudtrail forensic deep analyzerdrop cloudtrail json logs · detect privilege escalation paths · credential theft · data exfiltration · lateral movement between services · unusual api patterns · flag attacker ips · runs locally
- 05aws cloudtrail log forensic analyzerdrop aws cloudtrail json log files or csv export · parse api call records across all aws services · surface credential abuse privilege escalation data exfiltration and infrastructure manipulation · reconstruct attacker activity timeline · runs locally
- 06aws iam policy analyzerpaste iam policy json · effective permissions · wildcard expansion · risks · escalation hints · plain english · runs locally
- 07iam escalation graphiam policy json · wildcard expansion · 15 escalation patterns · attack chains · severity · csv + json export · runs locally
- 08kubernetes secrets decoderpaste secret yaml or json · decode base64 · credential hints · redact toggle · runs locally · keys stay in browser