2026-05-07 –, Workshops and Stage - Gernsback (C1.05.02)
Everyone agrees leaked secrets are dangerous, yet most organizations still struggle to detect, triage, and fix them effectively. Scanners generate noise, developers ignore alerts, and real secrets slip through unnoticed.
This talk shares the real-world story of building a turnkey secrets scanning and triage platform from scratch, using and extending open-source tools. Designed for scale, the system focuses on reducing false positives, automating validation, and integrating seamlessly into CI/CD pipelines.
Through live demos and practical examples, attendees will see how to turn secrets detection from a checkbox into an actionable security program. The session focuses on real engineering decisions, lessons learned, and how the community can reuse these ideas to solve a problem many know exists, but few truly address.
This session will focus on the implementation, benefits, and challenges of building a scalable, open-source secrets scanning and management platform, designed to tackle a problem that is widely recognized but often ignored. I will start by describing the current state of secrets management in organizations: while most know exposed secrets are a serious risk, few have the processes, tooling, or awareness to handle them effectively. Existing scanners often produce too many false positives, lack context, or fail to integrate seamlessly into developer workflows, leaving teams frustrated and secrets at risk.
I will explain the motivation for creating Turnkey Code, emphasizing a passion for building practical solutions that are genuinely useful for other security engineers. Rather than buying a commercial tool, we approached the problem as a challenge: how to build a system that scales across repositories, integrates into CI/CD pipelines, and delivers actionable findings without overwhelming developers. I will cover the architecture, including scanning strategies, entropy-based detection, pattern rules, validation logic, and confidence scoring.
The session will also include a live demo, showing how the tool scans a real repository, identifies secrets, reduces false positives, and triages findings through dashboards. I will walk through automation workflows, integration with CI/CD, and how teams can track remediation and ownership. Throughout the talk, I will share lessons learned from deployment, including adoption hurdles, scaling challenges, and strategies for raising awareness about this underestimated risk.
Attendees will leave with practical knowledge of secrets management at scale, including actionable techniques, integration strategies, and access to an open-source tool they can use immediately. By sharing our approach, the session aims to raise awareness across the community, provide a repeatable method for handling secrets, and encourage engineers to build solutions that solve real problems.
I am an Application Security Engineer with extensive experience building and operating security tooling at scale. I started my career at Checkmarx, where I worked on security products, and later joined Flutter Entertainment, where I implemented and evolved large-scale AppSec programs. I currently work at OLX, focusing on automation, scalable security tooling, and cloud security. I actively contribute to open-source security projects and regularly speak at security conferences including Black Hat MEA, BSides, and BalCCon, with a focus on practical SAST, SECRETS management and SCA implementations.