Investigation & Containment | SafeOps Academy

Core Track Guardrails-first chapter in core learning path.

Estimated Time

Reading: 20-25 min
Lab: 45-60 min
Quiz: 10-15 min

Prerequisites

Previous chapter completed: Chapter 02: Infrastructure as Code (IaC) with Kind.
Working access to target `develop` namespace and tooling.

Source Code References

.sops.yaml Members
sops-encrypt-secret.sh Members

Sign in to view source code.

What You Will Produce

A reproducible lab result plus quiz verification and incident-safe operating evidence.

Investigation

Treat a leaked secret as a trust incident, not a formatting mistake.

Safe investigation sequence:

Revoke immediately: Rotate the exposed credential at the source (e.g., GitHub, AWS, etc.).
Identify dependencies: Identify downstream sessions, tokens, or integrations that depend on it.
Map the fan-out: Trace the leak surface across Git history, CI output, chat logs, and developer workstations.
Confirm the new path: Ensure the replacement credential moves only through the encrypted (SOPS) path.

The goal is to restore trust, not just fix a file.

Containment

Containment is about narrowing the exposure and securing the future.

Containment steps:

Invalidate the old value: Ensure the leaked credential can no longer be used.
Secure distribution: Distribute the replacement via SOPS-encrypted manifests.
Verify Flux sync: Ensure Flux can successfully decrypt and apply the new secret.
Plan follow-up: Record hardening actions, such as better automated scanning, to prevent a recurrence.

Pause and Predict: What automated guardrail would have prevented this incident entirely?