EVIDENCE TRAIL
Secret scanning on agent-generated artefacts
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The mitigation applies a mature CI pattern (gitleaks, trufflehog, GitHub Advanced Security) to a new producer: everything an agent emits, not just artefacts that reach a repository. The MDX cites T22 (Service Account Exposure) which is a Helmwart-internal threat extension, not present in OWASP Threats & Mitigations v1.1 (T1–T17 only). The OWASP LLM02 secret-scanning claim in the MDX's independentEvidence field was not verified in the live LLM02 page and is omitted here pending confirmation.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
gitleaks — OSS secret scanner (GitHub)
README — opening description
"Gitleaks is a tool for detecting secrets like passwords, API keys, and tokens in git repos, files, and whatever else you wanna throw at it via stdin."
Supports: Verbatim description of the primary OSS scanner cited in this mitigation. Confirms regex + stdin-streaming capability, making it suitable for an agent egress seam as well as CI.
Does not prove: Does not address the agentic-AI placement (agent output seam vs. CI seam), nor does it cover entropy-based or validator-call detection modes (those are trufflehog territory).
GitHub Advanced Security — Secret Scanning
docs.github.com/en/code-security/secret-scanning/about-secret-scanning — introductory description
"Prevent fraudulent use of your secrets by automatically detecting exposed credentials before they can be exploited."
Supports: Production-scale deployment of the pattern this control recommends; confirms partner-validated detection breadth and that scope extends to issues, PRs, Discussions, and wikis — not just code commits.
Does not prove: Covers artefacts reaching a GitHub repository. Does not cover tool-call parameter seams, chat-response channels, or in-process agent output streams — all of which this mitigation adds.
NIST SP 800-53 Rev 5 — IA-5 Authenticator Management
NIST SP 800-53 Rev 5, Chapter 3 — IA-5 Authenticator Management: control text item (g) and Discussion paragraph
"Protecting authenticator content from unauthorized disclosure and modification … Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators."
Supports: Establishes the baseline mandate to protect authenticators from unauthorised disclosure. Secret scanning operationalises this mandate at the agent output seam by catching embedded credentials before they propagate.
Does not prove: Does not name secret scanning, agents, or LLMs. Prescribes the goal (protect from disclosure) not the mechanism. Does not address dynamically generated credentials in AI artefacts.
CWE-798 — Use of Hard-coded Credentials
CWE-798 — Description
"The product contains hard-coded credentials, such as a password or cryptographic key."
Supports: Canonical weakness ID for the pattern this mitigation detects. Agent-generated code that embeds credentials is an instance of CWE-798; the scanner is the programmatic countermeasure.
Does not prove: CWE-798 describes the weakness in human-authored or compiled products. The agentic variant — an LLM generating code or config that inadvertently embeds a credential — is a new producer pathway not anticipated in the CWE description.
OWASP Top 10 for Agentic Applications 2026
§ASI04 Agentic Supply Chain Vulnerabilities — Description and Example Attack Scenarios §5
"Agentic Supply Chain Vulnerabilities arise when agents, tools, and related artefacts they work with are provided by third parties and may be malicious, compromised, or tampered with in transit … A compromised NPM package (e.g., a poisoned nx/debug release) was automatically installed by coding agents, enabling a hidden backdoor that exfiltrated SSH keys and API tokens and thereby propagated a supply-chain compromise across agentic workflows."
Supports: Names SSH key and API token exfiltration via agent-installed packages as a concrete attack scenario. Secret scanning at the agent output and install seam directly intersects this scenario.
Does not prove: ASI04 focuses on supply-chain tampering of third-party components rather than agent-generated artefacts as the credential source. The MDX's description of T22/generated-config credential leakage is a separate pathway not covered by ASI04 text.
MITRE ATLAS AML.M0016 — Vulnerability Scanning
ATLAS.yaml — AML.M0016 Vulnerability Scanning description (final sentence)
"Model artifacts, downstream products produced by models, and external software dependencies should be scanned for known vulnerabilities."
Supports: Verbatim instruction to scan "downstream products produced by models" for vulnerabilities. Secret scanning is the correct scanner class when those products are code or config artefacts that may contain embedded credentials.
Does not prove: The ATLAS description focuses on pickle-file deserialization exploits and model-file scanning rather than credential-string detection in generated code. The connection to secret scanning is by extension, not verbatim.
MITRE ATLAS AML.M0024 — AI Telemetry Logging
ATLAS.yaml — AML.M0024 AI Telemetry Logging description
"Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent."
Supports: Establishes the log-emit seam that secret scanning should inspect. Logging tool-call parameters and agent outputs creates the surface at which a scanner can catch embedded credentials before they propagate.
Does not prove: Does not mention secret scanning or credential detection. Its purpose is audit/detection of threats via logs, not blocking credential leakage at the output seam.