Your GitHub Actions Logs Are Leaking LLM Keys and Your SIEM Isn't Catching It

You've locked down your AWS credentials. You've got secret scanning on your repos. You rotate your database passwords.

But LLM API keys? Those are sitting in plaintext in your pipeline — and nobody's rotating them.

The problem nobody's talking about yet

LLM API keys exploded in the last two years. Every team has them now: OpenAI for the chatbot, Anthropic for the internal tool, Groq because someone read a benchmark. They get pasted into CI/CD workflows, hardcoded into Dockerfiles, committed in .env.example with real values, echoed in build logs.

The usual secrets scanning tools weren't built for them. GitLeaks and TruffleHog have patterns for AWS and Stripe, but coverage for sk-ant-api03-... or gsk_... is inconsistent. And unlike a database password, a leaked LLM key doesn't crash your app — it just silently drains your quota and potentially exposes your prompts.