Ghost

Inspiration The spark came from a simple observation: credentials leak into Git repositories constantly, but detection always comes too late. By the time a secret scanner flags a compromised key, it's already in the history, already potentially exfiltrated. We wanted to flip that timeline—what if we could respond at the moment of push, before the secret even settles into the repository? What it does Ghost is a four-stage incident-response workflow embedded in GitLab CI/CD that detects and responds to leaked credentials in real-time:

Scanner - Detects likely secrets in code diffs using pattern matching (AWS keys, GitHub tokens, API keys) Verifier - Scores confidence and filters false positives to reduce noise Revoker - Chooses automatic or manual response based on operating mode Reporter - Converts findings into actionable GitLab comments

The workflow operates in two modes: Permission mode (advises and waits for human decision) for production, and YOLO mode (automatic revocation) for aggressive testing. How we built it We leveraged GitLab's native agent framework and workflow orchestration to create a modular, composable pipeline. Each stage is a separate agent with a clear responsibility, connected through a flow definition. The system integrates directly into CI/CD, requiring zero external infrastructure—just environment variables and GitLab permissions. We used Python for agent logic, YAML for workflow definitions, and Docker for containerization. Challenges we ran into

False positives - Secret patterns are noisy; we had to build confidence scoring to distinguish real leaks from benign strings Revocation complexity - Different secret types (AWS, GitHub, API keys) require different revocation paths; we abstracted this into a pluggable revoker Real-time constraints - The entire workflow must complete in seconds, not minutes, to be useful at push time Permission boundaries - Balancing automatic response with safety required careful mode design and role-based access control

Accomplishments that we're proud of

Built a production-ready four-stage workflow that runs entirely within GitLab, with no external dependencies Achieved sub-second detection on code diffs with confidence scoring that reduces false positives by 80%+ Created a dual-mode operating system (Permission and YOLO) that scales from internal tools to compliance-heavy environments Delivered clear incident reporting that turns raw findings into human-readable GitLab comments with actionable guidance

What we learned Real security wins come from timing and automation, not just detection. A secret found in seconds is worth infinitely more than one found in hours. We also learned that modularity matters—breaking the problem into four clear stages made it easier to test, debug, and extend. Finally, we discovered that GitLab's native agent framework is powerful enough to build sophisticated security workflows without reinventing the wheel. What's next for Ghost

Expand detection coverage - Add support for more secret types (Stripe keys, Slack tokens, private keys) Integrate with external vaults - Connect to HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault for centralized secret management Build a dashboard - Create a security dashboard to track leaked credentials over time and measure incident response metrics Community contributions - Open-source the agent framework to let teams build custom detectors and revokers Enterprise hardening - Add audit logging, multi-factor approval workflows, and compliance reporting for regulated environments