More companies need to clamp down on hard-coding secrets. It’s not difficult to store them somewhere else, and there’s swathes of free tooling to stop you doing it in the first place.

Heck, set up a pre-commit hook. Link it to a shock collar.

The problem is the plethora inconsistent solutions by each and every company to verify identity.

As a developer I am constantly being asked to login and prove my identity.

Each developer tool, operating system, company I work for wants me to do it in a different way.

Security theatre at it’s finest. I don’t have a solution because this is a societal, political problem and cannot be solved with a technical solution.

I don’t think anyone wants governments verifying identity on the internet.

If our shock collars only support basic auth, we can just hard-code the creds in the yaml file, right?

What's the worst that can happen?

They could just store in a file like .env, git ignore that file. Simple eh?

Now, you see, uh... git hooks need to be set up, as the individual step. But it's well besides the point: the universe will find even dumber ways for those incompetent to leak secrets.