Secret exposure is broader than leaked keys
AI tools can expose names, paths, snippets, logs, workflow variables, and context that helps an attacker understand how production systems are wired.
Reports should redact values by default
A responsible scanner proves the exposure pattern without printing raw secrets. CapitalGuard reports affected paths, severity, business impact, and safe controls while redacting sensitive values.
Prevention starts with repository policy
Move secrets to managed vaults, block sensitive paths from agent context, require review for workflow edits, and keep production configuration outside default agent workspaces.