[tekla]

> an audit should include scanning all files for passwords

Please continue taking the security course. Scanning all files for passwords is madness. How do you differentiate "thisissupersecret" and "123fqfqlfni34235r4" and "git@somegitrepo.com" as passwords? You can't, they're all valid passwords for a majority of services.

At some point, you need to trust developers to do the right thing, which is impossible.

[blisterpeanuts]

You're right, but I was thinking of searching for known passwords. For example, if an Oracle db accessed by developers is tekla / tekla1234, then scan for the string "tekla1234". It should not exist in any file. If it exists in a file, then obviously that is a potential leak.

[JamesSwift]

And where do you intend to store these "bad" passwords in order to scan??

[ponyboy123]

Don’t be so mean to the guy.

One approach would be to have passwords of a known format, that are rotated frequently, and to verify that you’re not finding any strings matching those patterns save to disk or in log files, etc.