2025-08-04 –, Firenze
Secrets are being leaked at an alarming rate—hardcoded API keys, tokens, credentials—you name it, it’s out there. From SolarWinds to everyday developers, secret exposure has become one of the top root causes of major breaches.
But what if you could scan for these secrets… at scale? On a student budget?
This talk is a deep dive into how I used Kubernetes, cloud credits, and some infrastructure hacking to scan VS Code extensions and other public sources for secrets—effectively and cheaply. Whether you're a cloud security enthusiast, a DevOps tinkerer, or just broke and curious, this talk will show how to harness distributed systems and automation to do big things with limited resources
Secrets are being pushed everywhere in the wild. Given that most major security breaches involve secrets being exposed—like the SolarWinds breach and many others—I became fascinated by how often secrets are being publicly leaked and how little effort it can take to find them if you know where to look.
I wanted to perform secret scanning at scale, but I’m a student with a limited budget. So I’m going to talk about how I maximized the compute power available to me using Kubernetes and leveraged it to scan for secrets at scale.
Infrastructure Setup:
Given my constraints as a broke college student, I looked at what I had available: I recently completed my CKA and CKS certifications, and I had access to $100 in free Azure credits through a student account, plus similar free-tier resources across various cloud providers. My solution? Use Kubernetes to orchestrate compute resources across multiple accounts.
To set up the infrastructure, I used K3s to run a master node on my Azure account using those $100 credits very carefully. Then, I asked a few friends—also students—to use their own free credits to spin up virtual machines in their Azure accounts. I connected all of these together using Tailscale, putting them on the same virtual network. K3s was the best choice due to its lightweight footprint and simplicity.
Right now, I’m building out a Terraform configuration so I can just give my friends a link to my Terraform Cloud project. That way, they can deploy their own VM and have it automatically join my cluster. This assumes a level of trust between me and them. I’m actively working on a secure abstraction layer so they can deploy without being exposed to (or able to access) any secrets.
Scanning VS Code Extensions:
The next phase of the project is to scan VS Code extensions for secrets. It might seem like overkill, especially considering Microsoft’s API rate limits, but I have a workaround.
Here’s how it works:
- Every morning, a Kubernetes CronJob spins up and pulls a fresh list of VS Code extensions recently published to the marketplace.
- These extensions are then distributed to Docker containers running TruffleHog, which scan them for known patterns of exposed secrets.
- Redis is used for fast, in-memory storage of scan results.
- Every 3 minutes, Redis syncs with a persistent master database for durability and redundancy.
- All of this orchestration and data handling is written in Go.
API Rate Limiting and IP Rotation:
Microsoft is fairly generous with rate limits, but I wanted to plan for scale.
I set up a paid VPN service and developed a solution where IP addresses are rotated using a FIFO queue in AWS SQS. IPs are rotated in and out of the queue based on usage, helping me work around API rate limits.
This idea is still being refined, but it's designed to allow future scaling with more nodes and broader scanning capabilities.
Current Status:
To test the idea, I wrote a quick set of Python 3 scripts and downloaded around 10,000 VS Code extensions. I’ve already identified exposed credentials including:
OpenAI keys, Hugging Face tokens ,AWS credentials, SSH private keys, And more
Since this initial proof of concept was successful, I plan to slowly expand the setup, refine the automation, and run these scans at a scale as explained above.
Tools:
Kubernetes (K3s)
Tailscale (networking)
Terraform Cloud (for easy node deployment)
Docker
TruffleHog – https://github.com/trufflesecurity/trufflehog
Redis (fast key-value storage)
GoLang (core orchestration logic)
Python3 (initial PoC + scraping scripts)
AWS SQS (FIFO) – used for VPN IP queueing
Amazon DocumentDB (it's in always free tire)
📌 A Note to the CFP Review Board
Just a quick note — I'm still working on the explained setup for my talk, and the outline I'm submitting right now reflects my current plan. Some things might evolve as I make progress and depending on how everything comes together. Also, please reach out to me before the talk title is published on the website. I’m planning to collaborate with a few folks and want to give them a heads-up before anything goes public.
