Auto Secret Rotator

AI agent that finds and automatically rotates leaked secrets in GitLab repositories.

Comment

Inspiration

Every day, developers accidentally commit API keys, tokens, and passwords to Git repositories. Once pushed, attackers find and exploit them in minutes — yet most teams have no automated way to detect or remediate these leaks. We built Secret Rotator to close that gap: an AI agent that scans GitLab repos, confirms real secrets with Gemini, and rotates them automatically through GCP Secret Manager.

What we learned

  • Google ADK framework — How to build multi-step agents with custom tools and MCP toolset integration
  • GitLab MCP — Using the Model Context Protocol to let an agent create issues and merge requests directly
  • AI-powered validation — Using Gemini 2.5 Pro to distinguish real secrets from regex false positives, dramatically reducing alert fatigue
  • Secret rotation patterns — Generating cryptographically secure values and managing versioned secrets in GCP Secret Manager
  • Real-time streaming — Server-Sent Events for live scan progress in the browser

How we built it

The app is a FastAPI web server with an embedded Google ADK agent. The agent has three layers: regex-based secret detection (20+ patterns), Gemini AI confirmation to filter false positives, and GCP Secret Manager for rotation. We integrated GitLab through both its REST API (for file listing and content fetching) and the GitLab MCP server (for creating issues and merge requests). The web UI provides scan, dashboard, settings, and webhook management in a single-page interface with SSE streaming for real-time updates.

Challenges we faced

  1. False positives — Regex alone flagged too many false matches. We solved this by routing every candidate through Gemini for AI confirmation before presenting results.
  2. MCP integration — Connecting the GitLab MCP server alongside custom ADK tools required careful tool orchestration and error handling when the MCP server was unavailable.
  3. Real-time scanning — Long-running scans needed live feedback. We implemented Server-Sent Events to stream progress and results asynchronously.
  4. Secret masking — We needed to display findings without exposing full secret values, so we implemented preview truncation and server-side-only processing. ```

Built With

  • discord-webhooks
  • docker
  • fastapi
  • gcp-secret-manager
  • gemini-2.5-pro
  • gitlab-mcp-server
  • gitlab-rest-api
  • google-adk-(agent-development-kit)
  • google-cloud-run
  • html/css/javascript
  • python
  • slack-webhooks
  • sqlite
  • uvicorn
Share this project:

Updates