Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Loading Results

Safeguarding your code: Detecting and eliminating hardcoded secrets leveraging AWS and AI

  • Blog
  • August 26, 2025

Nausheen Jawed

Director, Cloud & Digital Transformation, PwC US

Email

Ross Chernick

Director, Cloud & Digital Transformation, AWS Ambassador, PwC US

Email

Jay Kumar

Manager, Application Modernization & Development, PwC US

Email

Keep organizational secrets safe

Software development moves at a rapid pace — and teams should keep up. Yet today’s rapid development practices also translate into potential security risks. Secret values such as API keys, certificates, tokens, passwords, and other critical elements represent real-world risk.

Malicious actors continuously scan and probe code repositories in search of these hard-coded secrets. Once they have broken into a network, they can deploy malware, trigger data breaches, sabotage systems and disrupt operations.

It’s no small problem. Industry research shows that tens of millions of secrets wind up exposed every year — and the figure is rising sharply. Even experienced development teams are at risk. The consequences can be catastrophic. A business can endure financial loss, legal problems, regulatory penalties, and reputational damage.

Meeting the challenge

Today’s complex and interconnected business frameworks raise the risks — along with the challenge of keeping systems and data secure. Generative AI, chatbots and integrated customer service tools add yet another layer of complexity. It isn’t unusual for organizations to wind up with thousands of code repositories or data sources scattered across dozens or even hundreds of systems.

Effectively managing and locking down these secret values is critical. Organizations require technology that can identify secrets, encrypt secrets, store them in a protected space, rotate them on a regular schedule and automatically generate new passwords and access keys as policy requires.

Handling these tasks manually can prove daunting, however, for one thing, developers lack the time and bandwidth to systematically locate and control embedded secrets. They’re often buried under tight deadlines. For another, the sprawling and sophisticated nature of today’s architectures makes it difficult to know exactly where data is and where it’s traveling at any precise moment.

Building a defense

There are multiple tools that can help identify hardcoded secrets in your code through several approaches.

Amazon Q Developer includes security scanning capabilities that can detect hardcoded secrets:

  • Automatic detection: Q can scan your code for common patterns like API keys, passwords, tokens, and connection strings
  • Real-time analysis: As you write code, Q can flag potential security issues including hardcoded credentials
  • Security recommendations: Q provides suggestions on how to properly handle sensitive data

You can directly ask Amazon Q to review code for hardcoded secrets: "Review my code for any hardcoded secrets or sensitive information".

Then paste your code snippet. Q will analyze it and point out:

  • Hardcoded API keys
  • Database passwords
  • Access tokens
  • Connection strings
  • Other sensitive data patterns

A MCP server architecture for secret detection would be capable of taking tasks you would do repeatedly and build an MCP server with multiple tools such as:

  • Secret detection tool
    • scan_secrets - Detect hardcoded secrets in files/directories
    • validate_secret_format - Check if detected strings match known secret patterns
  • Secret fixing tool
    • replace_hardcoded_secret - Replace hardcoded values with environment variable references
    • generate_env_migration - Create migration scripts to move secrets to proper storage
    • secret_usage_analyzer - Find all places where a secret is used
    • refactor_to_secrets_manager - Refactor code to use AWS Secrets Manager
  • Context analysis tool
    • Not all secrets found are a current production problem — some can be sample data or test credentials.
    • context_analysis: An MCP tool can examine the context to see if the exposure is probably a real secret in a production flow or merely a harmless example in documentation. This can enable the true risks to be prioritized and false alarms to be reduced.
  • Secret validation API tool
    • If you find something such as an API token, you may wish to check whether it is valid (and hence an instant security vulnerability) or is a dummy string.
    • An MCP server can be integrated to validate secrets with external APIs.
    • For instance, a git_token_validator might accept a found GitHub personal access token and invoke the GitHub API to verify it (safely). If active, the system recognizes the breach as severe (invalidate and rotate the token as soon as possible); if not active, the discovery remains worthy of correction but less severe.

So how does this all come together? Let’s walkthrough with an example:

Secrets Management
  • A developer issues a command to Amazon Q, via chat or CLI, such as “Find all hardcoded secrets in our repos and fix them.”
  • The Amazon Q client then interacts with the MCP servers that are configured. The secrets detection server scans the repositories and sends back a list of suspected secrets and their locations.
  • The code-fixing server takes that list and makes patches or pull requests, for instance, removing the credentials and replacing them with calls to AWS Secrets Manager or environment variables.
  • It can also create new entries in Secrets Manager (using AWS APIs) for each credential and templatize the deployment procedures (for instance adding AWS Lambda environment variables or setting up CI/CD pipeline configs to use the secure secret).
  • The developer can then review the AI generated changes and decide to accept and deploy the changes.
  • This type of augmented DevSecOps workflow helps confirm that secrets aren’t just detected and removed once, but are continuously being detected and removed, and reduces the burden on developers.
  • In this example, the AI assistant (MCP Client) connects to specialized MCP servers that in turn connect with data sources and tools.
  • These actions are coordinated by the AI assistant using commands in natural language.
  • With this expandable configuration, you can easily integrate custom security workflows (through MCP servers) into your development process, giving automated agents the responsibility of handling tedious secret-hunting and fixing tasks.

Beyond basic security

Modern IT environments and generative AI unlock incredible potential while creating new attack surfaces. Generative AI adds new complexities, concerns and risks. Securing sensitive credentials cannot be an afterthought. It’s critical to have strong, modern protections in place.

PwC expertise along with AWS technical excellence can help your organization realize the full promise of digital technology while achieving effective cybersecurity, governance and compliance practices.

Developers are free to work faster and more efficiently. The business can focus on innovation, outcomes and organizational excellence.

{{filterContent.facetedTitle}}

Follow us

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.