"It’s just a local config." "I’ll delete the history later." In the fast-paced world of Cloud-Native Java, these common phrases are the precursors to security disasters.
As developers, our tools are designed for convenience, but that convenience often creates "secret leaks" across the entire supply chain. This session is a forensic deep dive into how credentials escape into the wild. We will perform live autopsies on common security blunders, tracing secrets through:
• The Developer Desk: Plain-text risks in Maven settings.xml.
• The Source: Why git rm fails to protect your history.
• The Image: Using dive to uncover passwords in "deleted" Docker layers.
• The Pipeline: How CI/CD logs in Jenkins or TeamCity can betray you.
• The Runtime: Moving from hardcoded Tomcat server.xml to modern Vault injection.
This isn't just a talk about what's broken; it's a guide on how to fix it. You will leave with a practical toolkit of pre-commit hooks, Maven encryption techniques, and secret injection strategies to ensure your credentials stay exactly what they were meant to be: secret.