A GitLab API token appeared in a README.md file. It was committed, pushed, and reviewed by two engineers before merging. Nobody caught it.
This was not a junior developer's mistake. Both reviewers were experienced. The token was on line 47 of a 200-line file, sandwiched between installation instructions. At the end of a sprint, with three other reviews queued, it looked like documentation. It was a secret sitting in plain sight.
We caught it the next day during a routine audit. By then it had been in the repository for 18 hours.
Three weeks later, after integrating an LLM into our Jenkins MR validation pipeline, the same pattern — a token embedded in documentation — would have been flagged automatically, before any human reviewer opened the diff. CRITICAL severity. Specific line. Suggested fix.
That single incident justified the integration. Everything else that followed confirmed it was the right architectural decision.






