Notifications
Clear all
Topic starter
25/06/2026 5:05 pm
TL;DR: Shift-left controls can catch secret exposure earlier in DevOps, but they do not solve culture, incentives, deadline pressure, or the operational reality of secrets sprawl, according to Entro Security. Early scanning helps, yet durable protection still depends on end-to-end secrets governance across the full lifecycle.
NHIMG editorial — based on content published by Entro Security: Debunking the shift-left security approach in DevOps
By the numbers:
- Only 44% of organisations are currently using a dedicated secrets management system.
Questions worth separating out
Q: How should security teams govern secrets that move beyond the code repository?
A: They should treat secrets as living credentials with an owner, scope, and expiry, not as static strings in source code.
Q: Why do shift-left controls fail to prevent secret sprawl?
A: Because secret sprawl happens after the first scan.
Q: What do security teams get wrong about shift-left for secrets?
A: They often assume early detection equals governance.
Practitioner guidance
- Map secret lifecycle ownership across DevOps and security teams Assign a named owner for issuance, rotation, revocation, and exception handling for each secret type.
- Add runtime secret discovery beyond code scanning Monitor containers, build logs, deployment configs, and cloud environments for secrets that escaped pre-commit review.
- Separate preventive checks from exposure response Use shift-left scanning to block obvious hard-coded secrets, then pair it with revocation workflows for leaked or abandoned credentials.
What's in the full article
Entro Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Examples of how secret exposure appears in CI/CD pipelines, logs, and deployment artefacts.
- The article's discussion of why development incentives undermine security-first behaviour in practice.
- Entro Security's breakdown of how shift-right monitoring complements early detection in production.
- Additional detail on flexible vault integrations and secret enrichment workflows.
👉 Read Entro Security's analysis of why shift-left security falls short for secrets management →
Shift-left security and secrets sprawl: what IAM teams miss?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 5:34 pm
Shift-left security fails where secret governance leaves the codebase. Early scanning is useful, but it only covers the development boundary. Once API keys, tokens, or certificates are copied into pipelines, runtime configs, and logs, the control plane has already moved beyond what shift-left can see. Practitioners should treat this as a secrets lifecycle gap, not a tooling gap.
A few things that frame the scale:
- 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management, according to The 2024 State of Secrets Management Survey.
- The average time to mitigate a leaked secret is 36 hours, which shows how quickly manual response becomes a governance burden when secrets escape preventive controls.
A question worth separating out:
Q: How should organisations combine shift-left and shift-right for secrets security?
A: Use shift-left to stop obvious exposures before release and shift-right to detect misuse, drift, and forgotten credentials in production. The strongest model is continuous control across the full lifecycle, because secrets risk does not end when code leaves the build pipeline.
👉 Read our full editorial: Shift-left security falls short for secrets management in DevOps
